How to Exclude Windows EventTypes in Splunk Heavy ...

uayub · ‎02-28-2013

I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder.

I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.

Here's my coding:

Props.conf changes

[WMI:WinEventLog:Security]
TRANSFORMS-set=setnull

Transform.conf changes

[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue

When I check my indexer, event code 4674 still appears.

sbrant_splunk · ‎02-28-2013

I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?)

Try this:

props.conf changes

[WinEventLog:Security]
TRANSFORMS-set=setnull

transforms.conf changes

[setnull] 
REGEX=(?mi)^EventCode=(4674)
DEST_KEY=queue 
FORMAT=nullQueue

sbrant_splunk · ‎02-28-2013

Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.

How to Exclude Windows EventTypes in Splunk Heavy Fowarder

Props.conf changes

Transform.conf changes

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms