Hi,

I am auditing the Splunk Data directories for any kind of access. To do this, I put EVERYONE in the audit group. I then want to filter out any that come in from the system account:

Fo instance, an event like this is generated

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=COMPUTERNAME.DOMAIN.com
TaskCategory=File System
OpCode=Info
RecordNumber=960826400
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       COMPUTERNAME$
    Account Domain:     DMN
    Logon ID:       0x3e7

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\Splunk\Python-2.7\Lib\encodings
    Handle ID:      0x8c

Process Information:
    Process ID:     0xcf4
    Process Name:       C:\Program Files\Splunk\bin\python.exe

What I want match out to pass to the nullQueue in transforms.conf is across multiple lines:

TaskCategory=File System & Account Name: COMPUTERNAME$

I cannot get this to match no matter the regex I throw in there (I am guessing because it is going across multiple lines).

Thanks for any help.

Kevin