Splunk Search

How to edit my regex in transforms.conf to filter out Windows event logs with EventCode=4624 for a given user?

smichalowski
New Member

Hello everybody,

I am new to Splunk.

What is my problem:
Universal forwarder sends Windows Event Logs to Indexer (Splunk 6.x). On the indexer I want to filter out before indexing all events with EventCode=4624, which are generated for a user with account name "John". I have created props.conf and transforms.conf on the indexer. I have a problem with regex (I am sure that the problem is with regex because if I put REGEX=. in transforms.conf all events are filtered out).

In transforms.conf I have:

REGEX=(?m)^(EventCode=4624)(Account\s*name.\s*John)

It does not work. Events with this code and for this user are still indexed. Could you help me in defining proper regex?
thank you in advance
Slawomir

0 Karma

narwhal
Splunk Employee
Splunk Employee

Pretty sure you can't use trailing #blah style comments on the REGEX line. Splunk will want THAT to be part of the matching REGEX.

0 Karma

smichalowski
New Member

I dont use - I added it n this discuss to underline that in real file backslash exist.
Below copy/paste of the real transforms.conf file:

[wminull]
REGEX=(EventCode=4624).+(Account\s+Name:.+John)
DEST_KEY=queue
FORMAT=nullQueue

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

there are a couple of problems with your regex. you want to use the ?s flag turning it all into a single line rather than ?m
When the regex looks at it all as one line you can then use the .+ to cover the distance.
Your regex doesn't account for what's in between the first capturing group and the second one...
Try it out in regex101.com and you'll see what I'm talking about.

(EventCode=4624).+(Account\s+Name:.+John)

for an event that looks like this:

10/14/2013 08:29:33 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SP-SQL.bd.splunk.com
TaskCategory=Logoff
OpCode=Info
RecordNumber=3544
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        BD\John
    Account Name:       John
    Account Domain:     BD
    Logon ID:       0x5886A

Logon Type:         3

Another option is to check here:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata#Create_advanced_filters_wi...

The example given is pretty much what you want:
whitelist = EventCode="^1([0-5])$" Message="^Error"

This is done in inputs.conf not transforms.conf

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

The answer has been edited to show an alternate method in inputs.conf

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

smichalowski
New Member

Thank you for the response and help. In fact my regex didint work in regex101.com. Your is ok. It works in regex101.com. So, i your added your regex it to transforms.conf.
transforms.conf is as follow now:

[wminull]
REGEX=(EventCode=4624).+(Account\s+Name:.+John)   #between 'Account' and 's' there is backslash but is not displayed
DEST_KEY=queue
FORMAT=nullQueue

props.conf is:

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull

I have restarted Splunk and no results. Event are still indexed :-(. What is wrong???

my observation is: when regex works in search line, it doesn't work in transforms.conf.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...