How to Exclude Windows EventTypes in Splunk Heavy ...

uayub · ‎02-28-2013

I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder.

I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.

Here's my coding:

Props.conf changes

[WMI:WinEventLog:Security]
TRANSFORMS-set=setnull

Transform.conf changes

[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue

When I check my indexer, event code 4674 still appears.

sbrant_splunk · ‎02-28-2013

I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?)

Try this:

props.conf changes

[WinEventLog:Security]
TRANSFORMS-set=setnull

transforms.conf changes

[setnull] 
REGEX=(?mi)^EventCode=(4674)
DEST_KEY=queue 
FORMAT=nullQueue

sbrant_splunk · ‎02-28-2013

Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.