Splunk Search

Looking to filter out C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan events

andrewsmiley
Engager

Once a week when Symantec runs a full scan our quota gets blown out of the water. Is there a way to filter these events out so they are not forwarded to the index server?

Tags (3)
1 Solution

Chubbybunny
Splunk Employee
Splunk Employee

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

View solution in original post

Chubbybunny
Splunk Employee
Splunk Employee

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

View solution in original post

dshpritz
SplunkTrust
SplunkTrust

You can use a blacklist in the input (depending on how you have your monitor stanza configured):

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Another option would be to use a nullQueue to filter the events:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!