Hi, I'm trying to filter certain Windows event IDs which need to be sent to Indexer and the rest to be dropped. My Props.conf looks as below: [WinEventLog:Security]
TRANSFORMS-security = adlog, dropadlog And my transforms.conf looks as below: [dropadlog]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[adlog]
REGEX = (?msi)^EventCode=(4624|4625|4688|4768|4769|4771|4773|4776|4740)
DEST_KEY = queue
FORMAT = indexQueue On querying through search head, I don't see any events coming through the HF. Rather I see events from other hosts that are configured to directly send events to Indexers Could someone help me understand what's going wrong with HF configuration? My inputs.conf is below: [default]
host = Hostname of HF
[splunktcp://9997]
disabled = false And Outputs.conf: [tcpout]
defaultGroup = default-autolb-group
[tcpout-server://Indexer1:9997]
[tcpout-server://Indexer2:9997]
[tcpout:default-autolb-group]
disabled = false
server = Indexer1:9997,Indexer2:9997,Indexer3:9997
[tcpout-server://Indexer3:9997]
... View more