Hello everybody,
I am new to Splunk.
What is my problem:
Universal forwarder sends Windows Event Logs to Indexer (Splunk 6.x). On the indexer I want to filter out before indexing all events with EventCode=4624, which are generated for a user with account name "John". I have created props.conf and transforms.conf on the indexer. I have a problem with regex (I am sure that the problem is with regex because if I put REGEX=. in transforms.conf all events are filtered out).
In transforms.conf I have:
REGEX=(?m)^(EventCode=4624)(Account\s*name.\s*John)
It does not work. Events with this code and for this user are still indexed. Could you help me in defining proper regex?
thank you in advance
Slawomir
Pretty sure you can't use trailing #blah style comments on the REGEX line. Splunk will want THAT to be part of the matching REGEX.
I dont use - I added it n this discuss to underline that in real file backslash exist.
Below copy/paste of the real transforms.conf file:
[wminull]
REGEX=(EventCode=4624).+(Account\s+Name:.+John)
DEST_KEY=queue
FORMAT=nullQueue
there are a couple of problems with your regex. you want to use the ?s flag turning it all into a single line rather than ?m
When the regex looks at it all as one line you can then use the .+
to cover the distance.
Your regex doesn't account for what's in between the first capturing group and the second one...
Try it out in regex101.com and you'll see what I'm talking about.
(EventCode=4624).+(Account\s+Name:.+John)
for an event that looks like this:
10/14/2013 08:29:33 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=SP-SQL.bd.splunk.com
TaskCategory=Logoff
OpCode=Info
RecordNumber=3544
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: BD\John
Account Name: John
Account Domain: BD
Logon ID: 0x5886A
Logon Type: 3
Another option is to check here:
The example given is pretty much what you want:
whitelist = EventCode="^1([0-5])$" Message="^Error"
This is done in inputs.conf
not transforms.conf
The answer has been edited to show an alternate method in inputs.conf
Thank you for the response and help. In fact my regex didint work in regex101.com. Your is ok. It works in regex101.com. So, i your added your regex it to transforms.conf.
transforms.conf is as follow now:
[wminull]
REGEX=(EventCode=4624).+(Account\s+Name:.+John) #between 'Account' and 's' there is backslash but is not displayed
DEST_KEY=queue
FORMAT=nullQueue
props.conf is:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
I have restarted Splunk and no results. Event are still indexed :-(. What is wrong???
my observation is: when regex works in search line, it doesn't work in transforms.conf.