Getting Data In

How to Exclude Windows EventTypes in Splunk Heavy Fowarder

uayub
Path Finder

I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder.

I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.

Here's my coding:

Props.conf changes

[WMI:WinEventLog:Security]
TRANSFORMS-set=setnull

Transform.conf changes

[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue

When I check my indexer, event code 4674 still appears.

Tags (1)
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?)

Try this:

props.conf changes

[WinEventLog:Security]
TRANSFORMS-set=setnull

transforms.conf changes

[setnull] 
REGEX=(?mi)^EventCode=(4674)
DEST_KEY=queue 
FORMAT=nullQueue
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...