I'm using splunk enterprise on a local windows based system. I have a file reader configured to watch a directory where I dump logs and folders of logs. c:\logs\*\*.log All folders and files that end in ".log" There is a specific event that is typically in my .log files and they always start with 30 and 32. I'd like to filter this out and I've tried everything I can think of. I even copied this type of setup, but I can't seem to get it working: Section: "Discard specific events and keep the rest" http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Routeandfilterdatad Used this for a reference for windows file paths: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Specifyinputpathswithwildcards in the etc\system\local props.conf [source::....log] TRANSFORMS-null= setnull Also tried [source:://....log] Also tried [monitor:://....log] Also tried [monitor::....log] transforms.conf [setnull] regex = ^3[02] DEST_KEY = queue FORMAT = nullQueue After making changes, I restart splunk and send some test data, every time, my unwanted events that start with 30 and 32 still show up. Any help would be great, I'm pretty sure my regex is right, but I don't have any idea if the rest is. Thanks, Grant ... View more

I'm looking for help on creating a custom CEF index. I have CEF Syslog data sent into my Splunk instance and I'd like to index some of the tokened fields and simply parse the others. I know how to do regex extractions for each field, but there has to be a better way to tell splunk there is a CEF header and following a header is the token field names and values. I want these to be indexed prior to searching for performance. I do not know if this will scale, but I want to try it. Can anyone help? ... View more

Example: I'd like to run a search on windows logs, do some data transformation and then pipe the output to a syslog listener not on the local host. sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=2 | Send to syslog IP 10.0.0.12:514 ... View more