Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use regex to filter out Windows events with Account names ending with $?

kiran331
Builder
‎09-14-2017 02:14 PM

Hi

How to edit props.conf and transforms.conf to exclude the windows events with event Codes 4634 at indexing time and Account_Name ending with $? Below is the sample eventalt text

Preview file
21 KB
0 Karma
Reply

Sukisen1981
Champion
‎09-15-2017 10:06 AM

Hi,

Why don't you try blacklist in inputs.conf if you are on universal forwarder?
[your stanza / what you are monitoring]
blacklist = 400
will ignore all 400 type errors

0 Karma
Reply

malvidin
Communicator
‎09-14-2017 02:32 PM

I recommend not using a regular expression.

<base search> NOT (EventCode="4634" OR Account_Name="*$")

If you're set on using regular expressions, try the following.

<base search>
| regex Account_Name!="\$$"
| regex EventCode!="4634"

Both searches assume you've extracted those fields. You can create a regular expression to search against the raw field, but I recommend searching against extracted fields.

If you want to go a step further, try mapping it to the Splunk CIM, and then searching against the CIM field names.

0 Karma
Reply

kiran331
Builder
‎09-14-2017 02:33 PM

I want to ignore them at indexing time

0 Karma
Reply

istutig
Loves-to-Learn Lots
‎11-20-2020 01:22 AM

@kiran331 Did you find the correct regex to blacklist Account name ending with $ at index time

0 Karma
Reply

malvidin
Communicator
‎09-14-2017 02:51 PM

I recommend changing your question title and summary to include the information from your comment, or you might get answers that don't address your situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...