At the indexer, we are trying to exclude event records from incoming windows logs that have
Below is the configuration that we have, but doesn't seem to work. Also, is there a way to test this code via the Search option in the UI before putting in the conf files?
[Remove_Logon_Type_3] REGEX=(?msi).*Logon Type:\s*3\D DEST_KEY=queue FORMAT=nullQueue
Sample of event record below, so are trying to eliminate records based on matching a text string (in said record); because not sure if we can explicitly name a specific field like "Logon_Type".
09/04/2013 06:18:26 PM LogName=Security SourceName=Security EventCode=538 EventType=8 Type=Success Audit ComputerName=SNODEV106 User=polypaths Sid=S-1-5-21-1971354296-1767978563-709122288-167354 SidType=1 Category=2 CategoryString=Logon/Logoff RecordNumber=3049159 Message=User Logoff: User Name: polypaths Domain: CGUSER Logon ID: (0x0,0x644269C) Logon Type: 3
Yes, there is a way to test regex in a search. Use |regex _raw= as in the following.
index=main sourcetype="*security*" EventCode=538 |regex _raw=(?m).*Logon\sType:\s+3.*
I tested it and it worked. Try it in your transforms.conf.
Belated thanks for your response, which did help us test regex from "Splunk Search". We were able to tweak as follows and successfully tested in our env: REGEX=_raw=(?msi).Logon\sType:\s3\D
However, we were still having issues with the actual regex configuration, where had done the following on the the heavy forwarder, but still could not filter out events.
Please let me know if any of the config info looks out of palce. And, feel free to post and additional comments, ideas, etc. Thanks again... Al
From what I understand, you have to discard everything before you keep something, or you have to keep everything before you discard something.
It would be the backwards version of this answer:
I'll test this in the morning.