Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my regex in transforms.conf to filter Windows Events on a heavy forwarder not working?

leonheart78
Explorer
‎12-08-2015 09:09 PM

Hi,

I'm using the Syslog server to gather all my Windows events. Right now, I'm trying to use a Splunk Heavy forwarder to filter off Event ID 5156 and 4768.

I have configured both my props.conf and transforms.conf.
Below are the settings:

props.conf

[source::D:\Program Files (x86)\Syslogd\Logs]
TRANSFORM-null= setnull

transforms.conf

[setnull]
REGEX= (\d+.){6}\d+\s(5156|4768)
DEST_KEY = queue
FORMAT = nullQueue

One of the sample messages from the Windows Events is below

2015-12-09 12:52:12 Kernel.Notice   192.168.1.12    Dec 09 12:52:12 DSFDCUAT01.buk.edu.my MSWinEventLog 5   Security    14032221    Wed Dec 09 12:48:50 2015    5156    Microsoft-Windows-Security-Auditing     N/A Audit Success   DSFDCUAT01.buk.edu.my   12810   The description for Event ID 5156 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

I'm trying to filter the Event ID which is located in Wed Dec 09 12:48:50 2015 5156 within the message.

Pls advise if my Regex is correct.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-08-2015 10:12 PM

Try just this (5156|4768)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-08-2015 10:12 PM

Try just this (5156|4768)

0 Karma
Reply
Solved! Jump to solution

leonheart78
Explorer
‎12-08-2015 10:38 PM

I have updated the settings in the transforms.conf and restarted Splunk. But the settings did not take effect. The transforms.conf is located at /etc/system/local. Is there anything which I might have done wrongly?

0 Karma
Reply
Solved! Jump to solution

leonheart78
Explorer
‎12-08-2015 10:50 PM

Could it be something wrong with my props.conf? I see in the default template, the source contain double backslash instead of one.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-10-2015 04:40 PM

Change
TRANSFORM-null= setnull

To
TRANSFORMS-null= setnull

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...