Discard Windows Events and keep the rest

Hi,

Had installed splunk on serverA and serverB and configured both as a forwarder to forward wineventlogs to splunk indexer.

I will like to filter out certain events(eg.540) and I tried doing this on the splunk indexer itself:

/opt/splunk/etc/system/local/props.conf [WinEventLog:Security] TRANSFORMS-null = setnull

/opt/splunk/etc/system/local/transforms.conf [setnull] REGEX = (?m)^EventCode=540 DEST_KEY = queue FORMAT = nullQueue

Apparently it still doesn't work after doing a search the events are still shown:
host="serverA" EventCode=540

1) How do I filter out event code 540? Should it be done on the forwarder itself or splunk indexer?

2) How do I filter out event code 540, only on serverA and not serverB?

Thanks.

filter windows-event-logs

asked 05 Jul '10, 04:09

apro
89●2●12
accept rate: 20%

2 Answers:

Not sure if anything yet but tried shifting the configuration to the forwarder itself now as mine seems to be a heavy forwarder.

Seems ok but am monitoring it.If it works, it solves my problem of filtering out event codes on one server but not another as well..

link

answered 05 Jul '10, 08:42

apro
89●2●12
accept rate: 20%

0	Did this ever start working for you? link answered 23 Aug '10, 20:50 aaronzabell 13●2 accept rate: 75%

Post your answer

toggle preview

Email:

RSS:

Answers

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

Tags:

Asked: 05 Jul '10, 04:09

Seen: 1,271 times

Last updated: 23 Aug '10, 20:50