I am new to Splunk.
What is my problem:
Universal forwarder sends Windows Event Logs to Indexer (Splunk 6.x). On the indexer I want to filter out before indexing all events with EventCode=4624, which are generated for a user with account name "John". I have created props.conf and transforms.conf on the indexer. I have a problem with regex (I am sure that the problem is with regex because if I put REGEX=. in transforms.conf all events are filtered out).
In transforms.conf I have:
It does not work. Events with this code and for this user are still indexed. Could you help me in defining proper regex?
thank you in advance
there are a couple of problems with your regex. you want to use the ?s flag turning it all into a single line rather than ?m
When the regex looks at it all as one line you can then use the
.+ to cover the distance.
Your regex doesn't account for what's in between the first capturing group and the second one...
Try it out in regex101.com and you'll see what I'm talking about.
for an event that looks like this:
10/14/2013 08:29:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=SP-SQL.bd.splunk.com TaskCategory=Logoff OpCode=Info RecordNumber=3544 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: BD\John Account Name: John Account Domain: BD Logon ID: 0x5886A Logon Type: 3
Another option is to check here:
The example given is pretty much what you want:
whitelist = EventCode="^1([0-5])$" Message="^Error"
This is done in
Thank you for the response and help. In fact my regex didint work in regex101.com. Your is ok. It works in regex101.com. So, i your added your regex it to transforms.conf.
transforms.conf is as follow now:
[wminull] REGEX=(EventCode=4624).+(Account\s+Name:.+John) #between 'Account' and 's' there is backslash but is not displayed DEST_KEY=queue FORMAT=nullQueue
I have restarted Splunk and no results. Event are still indexed :-(. What is wrong???
my observation is: when regex works in search line, it doesn't work in transforms.conf.
The answer has been edited to show an alternate method in inputs.conf
Pretty sure you can't use trailing #blah style comments on the REGEX line. Splunk will want THAT to be part of the matching REGEX.
I dont use - I added it n this discuss to underline that in real file backslash exist.
Below copy/paste of the real transforms.conf file: