route Rtvscan events to null using
props.conf
[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole
transforms.conf
[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe
DEST_KEY = queue
FORMAT = nullQueue
[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
(\__/)
(='.'=)
(")_(")
route Rtvscan events to null using
props.conf
[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole
transforms.conf
[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe
DEST_KEY = queue
FORMAT = nullQueue
[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
(\__/)
(='.'=)
(")_(")
You can use a blacklist in the input (depending on how you have your monitor stanza configured):
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
Another option would be to use a nullQueue to filter the events:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...