Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

REGEX to filter out event records

aportela
New Member
‎09-04-2013 06:34 PM

At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3.

Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?

props.conf entry:

[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3

transforms.conf entry:

[Remove_Logon_Type_3]
REGEX=(?msi).*Logon Type:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue

Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type". 

09/04/2013 06:18:26 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=SNODEV106
User=polypaths
Sid=S-1-5-21-1971354296-1767978563-709122288-167354
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3049159
Message=User Logoff:
        User Name:  polypaths
        Domain:     CGUSER
        Logon ID:   (0x0,0x644269C)
        Logon Type: 3

Please advise.
Thanks… Al

Tags (1)
0 Karma
Reply

kalianov
Path Finder
‎02-19-2016 05:14 AM

I use a blacklist stanza in the
inputs.conf file on UniversalForwarder
blacklist1 = Message=".*Logon\sType:\s*3\D"

0 Karma
Reply

lukejadamec
Super Champion
‎09-05-2013 06:25 AM

Hello,
Yes, there is a way to test regex in a search. Use |regex _raw= as in the following.

index=main sourcetype="*security*" EventCode=538 |regex _raw=(?m).*Logon\sType:\s+3.*

I tested it and it worked. Try it in your transforms.conf.

0 Karma
Reply

lukejadamec
Super Champion
‎09-16-2013 04:27 PM

From what I understand, you have to discard everything before you keep something, or you have to keep everything before you discard something.

It would be the backwards version of this answer:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-un...

props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=KeepLogs,Remove_Logon_Type_3

transform.conf

[KeepLogs]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue

[Remove_Logon_Type_3]
REGEX=(?msi).LogonsType:s3D
DEST_KEY=queue
FORMAT=nullQueue

I'll test this in the morning.

0 Karma
Reply

aportela_work
Explorer
‎09-16-2013 03:00 PM

Belated thanks for your response, which did help us test regex from "Splunk Search". We were able to tweak as follows and successfully tested in our env: REGEX=_raw=(?msi).*Logon\sType:\s*3\D
.
However, we were still having issues with the actual regex configuration, where had done the following on the the heavy forwarder, but still could not filter out events.
props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3

transform.conf

[Remove_Logon_Type_3]
REGEX=(?msi).*Logon\sType:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue

Please let me know if any of the config info looks out of palce. And, feel free to post and additional comments, ideas, etc. Thanks again... Al

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...