I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing.
In the Search app, the lines are displayed as:
But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.
By default, Splunk should extract those fields with it's automatic field extraction. For any key=value, Splunk is pretty friendly. To optimize a search that finds all of these:
Assuming each event contains both of these lines, here is the search:
To filter these events from your results, you want to negate the terms:
answered 10 May '11, 10:44