Another awesome Regex question, related to windows. I have a windows EventCode=4663. The event contains a ProcessName field which Splunk extracts successfully on its own.
I want to write a transform to send events that match this EventCode AND a three different possible ProcessNames, to send them to the nullqueue. Yes, that's two criteria in a transform.
Is this possible? What's the correct syntax?
Using Perl Editors for Regex online, versus using the regex command or rex command in Splunkweb, versus trying a REGEX in transform - they all seem to be slightly different in the rules you have to follow....
Here's an example of an eventcode 4663:
Log Name: Security
Date: 11/9/2011 5:12:18 AM
Event ID: 4663
Task Category: File System
Keywords: Audit Success
An attempt was made to access an object.
Security ID: SYSTEM
Account Name: dcc1$
Account Domain: LOGISTICS
Logon ID: 0x3e7
Object Server: Security
Object Type: File
Handle ID: 0x530
Process ID: 0xc0c
Process Name: C:\Windows\servicing\TrustedInstaller.exe
Access Request Information:
Access Mask: 0x100
Can't test this out myself at the mo, but have done something similar in the past.
Note, you have to escape the \'s and .'s in the process name, and proc 2 and proc 3 are the other processes you are trying to drop.
Give this a try
REGEX=(?msi)EventCode=4663.*Process\s+Name:\s+(C:\\Windows\\servicing\\TrustedInstaller\.exe|proc 2|proc 3)
Getting fairly good at this now, when I watch my syntax...magic ingredient is the following:
REGEX=(?msi)^EventCode=4663.+?Process\sName:\s+(C:\Windows\servicing\TrustedInstaller.exe|proc 2|proc 3)
seems to work every time with this syntax....yay!!
Splunk stripped out my backslashes before the s's in the above phrase....should occur after "process" and "Name:"....
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
disabled = 0