Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX in transforms for windows path and EventCode

gsawyer1
Engager
‎11-20-2012 08:28 AM

Another awesome Regex question, related to windows. I have a windows EventCode=4663. The event contains a Process_Name field which Splunk extracts successfully on its own.
I want to write a transform to send events that match this EventCode AND a three different possible Process_Names, to send them to the nullqueue. Yes, that's two criteria in a transform.

Is this possible? What's the correct syntax?

Using Perl Editors for Regex online, versus using the regex command or rex command in Splunkweb, versus trying a REGEX in transform - they all seem to be slightly different in the rules you have to follow....
Here's an example of an eventcode 4663:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 11/9/2011 5:12:18 AM

Event ID: 4663

Task Category: File System

Level: Information

Keywords: Audit Success

User: N/A

Computer: dcc1.Logistics.corp

Description:
An attempt was made to access an object.

Subject:

Security ID: SYSTEM

Account Name: dcc1$

Account Domain: LOGISTICS

Logon ID: 0x3e7

Object:

Object Server: Security

Object Type: File

Object Name:

C:\Windows\servicing\Packages\Package_2_for_KB2620704~31bf3856ad364e35~x86~~6.0.1.0.mum

Handle ID: 0x530

Process Information:

Process ID: 0xc0c

Process Name:   C:\Windows\servicing\TrustedInstaller.exe

Access Request Information:

Accesses: WriteAttributes

Access Mask: 0x100

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JovanMilosevic
Path Finder
‎11-20-2012 09:00 AM

Hi,

Can't test this out myself at the mo, but have done something similar in the past.

Note, you have to escape the \'s and .'s in the process name, and proc 2 and proc 3 are the other processes you are trying to drop.

Give this a try

REGEX=(?msi)EventCode=4663.*Process\s+Name:\s+(C:\\Windows\\servicing\\TrustedInstaller\.exe|proc 2|proc 3)

DEST_KEY=queue

FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2013 04:33 PM

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security]
disabled = 0
blacklist=566,800-850

Reply
Solved! Jump to solution

gsawyer1
Engager
‎10-17-2013 08:18 AM

Getting fairly good at this now, when I watch my syntax...magic ingredient is the following:

REGEX=(?msi)^EventCode=4663.+?Process\sName:\s+(C:\Windows\servicing\TrustedInstaller.exe|proc 2|proc 3)
DEST_KEY=queue
FORMAT=nullQueue

seems to work every time with this syntax....yay!!

0 Karma
Reply
Solved! Jump to solution

gsawyer1
Engager
‎10-17-2013 08:19 AM

Splunk stripped out my backslashes before the s's in the above phrase....should occur after "process" and "Name:"....

0 Karma
Reply
Solved! Jump to solution
Solution

JovanMilosevic
Path Finder
‎11-20-2012 09:00 AM

Hi,

Can't test this out myself at the mo, but have done something similar in the past.

Note, you have to escape the \'s and .'s in the process name, and proc 2 and proc 3 are the other processes you are trying to drop.

Give this a try

REGEX=(?msi)EventCode=4663.*Process\s+Name:\s+(C:\\Windows\\servicing\\TrustedInstaller\.exe|proc 2|proc 3)

DEST_KEY=queue

FORMAT=nullQueue

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...