Splunk Search

Why is my regex in transforms.conf to filter Windows Events on a heavy forwarder not working?

Explorer

Hi,

I'm using the Syslog server to gather all my Windows events. Right now, I'm trying to use a Splunk Heavy forwarder to filter off Event ID 5156 and 4768.

I have configured both my props.conf and transforms.conf.
Below are the settings:

props.conf

[source::D:\Program Files (x86)\Syslogd\Logs]
TRANSFORM-null= setnull

transforms.conf

[setnull]
REGEX= (\d+.){6}\d+\s(5156|4768)
DEST_KEY = queue
FORMAT = nullQueue

One of the sample messages from the Windows Events is below

2015-12-09 12:52:12 Kernel.Notice   192.168.1.12    Dec 09 12:52:12 DSFDCUAT01.buk.edu.my MSWinEventLog 5   Security    14032221    Wed Dec 09 12:48:50 2015    5156    Microsoft-Windows-Security-Auditing     N/A Audit Success   DSFDCUAT01.buk.edu.my   12810   The description for Event ID 5156 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

I'm trying to filter the Event ID which is located in Wed Dec 09 12:48:50 2015 5156 within the message.

Pls advise if my Regex is correct.

Thank you.

0 Karma
1 Solution

Legend

Try just this (5156|4768)

View solution in original post

0 Karma

Legend

Try just this (5156|4768)

View solution in original post

0 Karma

Explorer

I have updated the settings in the transforms.conf and restarted Splunk. But the settings did not take effect. The transforms.conf is located at /etc/system/local. Is there anything which I might have done wrongly?

0 Karma

Explorer

Could it be something wrong with my props.conf? I see in the default template, the source contain double backslash instead of one.

0 Karma

Legend

Change
TRANSFORM-null= setnull

To
TRANSFORMS-null= setnull

0 Karma