Solved: Re: Looking to filter out C:\Program Files (x86)\S...

andrewsmiley · ‎05-30-2012

Once a week when Symantec runs a full scan our quota gets blown out of the water. Is there a way to filter these events out so they are not forwarded to the index server?

Chubbybunny · ‎05-31-2012

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

View solution in original post

Chubbybunny · ‎05-31-2012

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

dshpritz · ‎05-30-2012

You can use a blacklist in the input (depending on how you have your monitor stanza configured):

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Another option would be to use a nullQueue to filter the events:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

Looking to filter out C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan events

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!