Splunk Search

Looking to filter out C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan events

andrewsmiley
Engager

Once a week when Symantec runs a full scan our quota gets blown out of the water. Is there a way to filter these events out so they are not forwarded to the index server?

Tags (3)
1 Solution

Chubbybunny
Splunk Employee
Splunk Employee

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

View solution in original post

Chubbybunny
Splunk Employee
Splunk Employee

route Rtvscan events to null using

props.conf

[WinEventLog:Security]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = (?msi)EventCode=4656.*Process Name:\s.*Rtvscan.exe 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue


(\__/)
(='.'=)
(")_(")

dshpritz
SplunkTrust
SplunkTrust

You can use a blacklist in the input (depending on how you have your monitor stanza configured):

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Another option would be to use a nullQueue to filter the events:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...