Splunk Search
Highlighted

How do you filter Windows Event Log?

Contributor

I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config:

props.conf

[WinEventLog:Security]
TRANSFORMS-set = delete

transforms.conf

[delete]
REGEX = .*EventCode\=540.*
DEST_KEY = queue
FORMAT = nullQueue

Wondering if this is a bug?!

Highlighted

Re: How do you filter Windows Event Log?

Splunk Employee
Splunk Employee

Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.

However, if that is what you are trying to do, one problem is that the "EventCode" you are presumably looking for is usually found at the beginning of a line, while the regex in your configuration requires a "." before it. By default, "." does not match line breaks, so your regex will not match what you intend. A regex that does do what you probably want is "(?m)^EventCode=540".

View solution in original post

Highlighted

Re: How do you filter Windows Event Log?

Contributor

That works great! Yes I do want to drop specific events. How do you another condition in the regex? Say with the EventCode, I also want to include all username "Anonymous Logon"? I'm thinking on the regex "(?m)^EventCode=540.ANONYMOUS LOGON.Logon Type: 3"

0 Karma
Highlighted

Re: How do you filter Windows Event Log?

Splunk Employee
Splunk Employee

You should look at the documents for PCRE: http://perldoc.perl.org/perlre.html
You probably want to use the (?msi) prefix on your regex if you want it to work.

Highlighted

Re: How do you filter Windows Event Log?

Contributor

Took awhile but I was able to get my exact regex. I did use the (?msi) prefix. Thanks alot!

0 Karma
Highlighted

Re: How do you filter Windows Event Log?

Super Champion

I recommend adding a not-a-digit at the end of that regex. For example: "(?m)^EventCode=540\D" just so you aren't matching some other event code.