This works for me:
whitelist1 = EventCode=%^(4624)$% Message="Logon\sType:\t+10"
whitelist2 = EventCode=%^(4625|4647|4720|4722|4724|4725|4726|4738|4781)$%
... View more
Hallo,
i need help for this stanza. I want only Events for "EventCode=4624 and Logon_Type=10" .
Whitelist2 works fine.
[WinEventLog://Security]
disabled = false
start_from = oldest
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist1 = EventCode=%^(4624)$% Logon_Type=%^10$%
whitelist2 = EventCode=%^(4625|4647|4720|4722|4724|4725|4726|4738|4781)$%
index = infrastrukturlog_windows
Thank you
Gerd
... View more
Hallo,
i want to execute daily a shell-script, that copys data to the csv-dir from Splunk.
Is it a good way to do this with splunk, or should i use therefore linux-cron.
please send me the necessary file to do this, thank you
Regards Gerd
... View more
Hallo,
i have to filter the following literals in an event and i am new in regex:
user:info
ifconfig
both literals must be in that event.
this don't works:
^.?\buser:info\b.?\bifconfig\b.*?$
Thank you for helping
Gerd
... View more
Hallo
i have set on "app/launcher/home" a Default-Dashboard. Now i want to reset this page to the Splunk-Standard.
In the DropDown i can't choose this empty Page.
Where can i reset this ?
Thanks in advance.
... View more
Hallo,
i only want to monitor files in the directory pkorb and not files in subdirectory pkorb/oldlogs
What is the right monitor ?
[monitor:///var/log/pkorb]
[monitor:///var/log/pkorb/]
or any other ?
... View more