×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
rfrazier
New Member
Member since: ‎03-02-2015
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-02-2015
Activity Feed
View All

Re: How do you filter Windows:Security:Events: 514...

by in Getting Data In
‎06-02-2015 07:55 AM
‎06-02-2015 07:55 AM
I made the changes to transforms.conf and props.conf. These conf files are in $SPLUNKHOME/etc/apps/all_indexers/local. Should these files be in $SPLUNKHOME/etc/system/local/ on each of the indexers instead? ... View more

How do you filter Windows:Security:Events: 5145 us...

by in Getting Data In
‎06-01-2015 02:02 PM
‎06-01-2015 02:02 PM
I am trying to filter Windows:Security:Events: 5145. I created the props.conf and the transforms.conf file listed below. I have it in a app called all_indexers which gets push to all indexers. The props.conf and the transforms.conf files are in the /all_indexers/local/ directory on each of the indexers. Some thing is amiss, but I can't seem to find it. Contents of the transforms.conf Filter Widows Security Events: 5145 [nullFilter-5145] REGEX=(EventCode=5145) DEST_KEY=queue FORMAT=nullQueue Contents of the props.conf [source::WinEventLog:Security] TRANSFORMS-nullQ=nullFilter-5145 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM