×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nmccaffery333
Loves-to-Learn Lots
Member since: ‎09-17-2020
‎07-12-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-17-2020
Activity Feed
Topics I've Started
View All

Re: Transforms.conf issue

by in Getting Data In
‎09-17-2020 10:13 AM
‎09-17-2020 10:13 AM
Here's and example event;   09/17/2020 12:10:53 PM LogName=System SourceName=Microsoft-Windows-Service Control Manager EventCode=7036 EventType=4 Type=Information ComputerName=oneof.my.servers TaskCategory=None OpCode=The operation completed successfully. RecordNumber=15183030 ... View more

Re: Transforms.conf issue

by in Getting Data In
‎09-17-2020 10:10 AM
‎09-17-2020 10:10 AM
That makes sense, and I think I tried it before. I just tried it again and those events are still showing up.   ... View more

Transforms.conf issue

by in Getting Data In
‎09-17-2020 09:29 AM
‎09-17-2020 09:29 AM
We're working with a 30 day trial as we wait for procurement to purchase a full license. While learning and configuring the system, I'm working on getting rid of some events we don't want to see. So far it's not working. My first question is, will this work on a Trial license? If it will, here's what my files looks like. I've tried as many combinations and formats as I can find examples for. I had the Transforms settings all in one stanza to start with, below is my latest attempt. If I run "splunk btool check", I see no errors. Help! Please .   props.conf: [WinEventLog:Security] TRANSFORMS-security = setnull0 [WMI:WinEventLog:System] TRANSFORMS-wmisystem = setnull1 [WinEventLog:System] TRANSFORMS-system = setnull2   transforms.conf: [setnull0] SOURCE_KEY = dest REGEX = ^EventCode=(1107|4688|7036|10028)\D DEST_KEY = queue FORMAT = nullQueue [setnull1] SOURCE_KEY = dest REGEX = ^EventCode=(1107|4688|7036|10028)\D DEST_KEY = queue FORMAT = nullQueue [setnull2] SOURCE_KEY = dest REGEX = ^EventCode=(1107|4688|7036|10028)\D DEST_KEY = queue FORMAT = nullQueue   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-12-2024 02:21 PM