Current Splunk Enterprise Server Version: 6.2.1
Current Splunk Test Server Version: 6.5.0
Question: What is the proper way to filter windows log events that only deal with being type/level: Warning, Error, or Failure Audit for Application, Security, and System (I guess Failure Audit for security only), without simply filtering by eventcodes with white/blacklisting?
inputs.conf
[default]
host = SplunkMachine
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
blacklist1 = Type="^2Failure Audit"
blacklist2 = Type="^3Success Audit"
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
transforms.conf
[wminull]
REGEX=(?m)^Level=(1|2|5)
DEST_KEY=queue
FORMAT=nullQueue
props.conf
########## FILE MATCH CONDITIONS ##########
[source::...\\var\\log\\anaconda.syslog(.\d+)?]
sourcetype = anaconda_syslog
[source::...\\var\\log\\anaconda.log(.\d+)?]
sourcetype = anaconda
[source::...\\var\\log\\httpd\\error_log(.\d+)?]
sourcetype = apache_error
[source::...\\var\\log\\cups\\access_log(.\d+)?]
.
.
.
[WinEventLog:Application]
TRANSFORMS-wmi=wminull
[WinEventLog:Security]
TRANSFORMS-wmi=wminull
[WinEventLog:System]
TRANSFORMS-wmi=wminull
####### NON-LOG FILES
So I've tried a few combinations of just modifying the transforms.conf and inputs.conf and just props.conf. So far, my attempts have limited the amount of events that are indexed in Splunk, however according to documentation I should only modify the props and transform.conf. I suspect I'm missing some Regex remarks.
... View more