cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
alexandrosd
New Member
Member since: ‎02-26-2019
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-26-2019
View All

Re: How do you filter out an event based on an acc...

by in Getting Data In
‎02-26-2019 06:58 AM
‎02-26-2019 06:58 AM
Hello hgrow, seems that the config on the indexer works perfect for me. Changes made under $SPLUNK_HOME/etc/system/local/ and restarted splunk and voila. Thank you. ... View more

Re: How do you filter out an event based on an acc...

by in Getting Data In
‎02-26-2019 06:08 AM
‎02-26-2019 06:08 AM
Thanks for the reply. based on the docs, this means that i need to add this configuration for props.conf and transforms.conf, under $SPLUNK_HOME/etc/system/local/. Im based on the "Filter WMI and Event Log events" on the doc. Is that correct? ... View more

How do you filter out an event based on an account...

by in Getting Data In
‎02-26-2019 04:08 AM
‎02-26-2019 04:08 AM
Hello, I am trying to exclude specific event logs from a Windows system being forwarded and indexed to Splunk. What I need to do is to filter out an event based on the content of the event (actually for a specific user called installer). What i did so far is: Under props.conf of universal forwarder ($PROGRAMFILES\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\props.conf) I defined the following: [WinEventLog:Security] TRANSFORMS-t1=exclude-installer and under transforms.conf on the same path the following: [exclude-installer] REGEX=(?s)(Account Name:\s\sinstaller) DEST_KEY=queue FORMAT=nullQueue The problem is that this specific configuration does not work. Events are not filtered out... Any suggestions? Thank you in advance. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM