Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: REGEX to filter out event records
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REGEX to filter out event records
At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3.
Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?
props.conf entry:
[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3
transforms.conf entry:
[Remove_Logon_Type_3]
REGEX=(?msi).*Logon Type:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue
Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type".
09/04/2013 06:18:26 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=SNODEV106
User=polypaths
Sid=S-1-5-21-1971354296-1767978563-709122288-167354
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3049159
Message=User Logoff:
User Name: polypaths
Domain: CGUSER
Logon ID: (0x0,0x644269C)
Logon Type: 3
Please advise.
Thanks… Al
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use a blacklist stanza in the
inputs.conf file on UniversalForwarder
blacklist1 = Message=".*Logon\sType:\s*3\D"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Yes, there is a way to test regex in a search. Use |regex _raw= as in the following.
index=main sourcetype="*security*" EventCode=538 |regex _raw=(?m).*Logon\sType:\s+3.*
I tested it and it worked. Try it in your transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I understand, you have to discard everything before you keep something, or you have to keep everything before you discard something.
It would be the backwards version of this answer:
http://answers.splunk.com/answers/99905/how-to-forward-only-specific-windows-eventlogs-via-splunk-un...
props.conf
[source::WinEventLog:Security]
TRANSFORMS-nullq=KeepLogs,Remove_Logon_Type_3
transform.conf
[KeepLogs]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue
[Remove_Logon_Type_3]
REGEX=(?msi).LogonsType:s3D
DEST_KEY=queue
FORMAT=nullQueue
I'll test this in the morning.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Belated thanks for your response, which did help us test regex from "Splunk Search". We were able to tweak as follows and successfully tested in our env: REGEX=_raw=(?msi).*Logon\sType:\s*3\D
.
However, we were still having issues with the actual regex configuration, where had done the following on the the heavy forwarder, but still could not filter out events.
props.conf
[source::WinEventLog:Security]
TRANSFORMS-nullq=Remove_Logon_Type_3
transform.conf
[Remove_Logon_Type_3]
REGEX=(?msi).*Logon\sType:\s*3\D
DEST_KEY=queue
FORMAT=nullQueue
Please let me know if any of the config info looks out of palce. And, feel free to post and additional comments, ideas, etc. Thanks again... Al
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
