Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Exclude Windows EventTypes in Splunk Heavy Fowarder

uayub
Path Finder
‎02-28-2013 03:16 PM

I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder.

I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.

Here's my coding:

Props.conf changes

[WMI:WinEventLog:Security]
TRANSFORMS-set=setnull

Transform.conf changes

[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue

When I check my indexer, event code 4674 still appears.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎02-28-2013 06:48 PM

I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?)

Try this:

props.conf changes

[WinEventLog:Security]
TRANSFORMS-set=setnull

transforms.conf changes

[setnull] 
REGEX=(?mi)^EventCode=(4674)
DEST_KEY=queue 
FORMAT=nullQueue
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎02-28-2013 07:01 PM

Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...