Hi Cusello,

Its still indexing Read Events. Below are my config files, Did I miss anthing?

props.conf

[WinEventLog:Security]

Returns most of the space savings XML would provide

SEDCMD-clean0 = s/(?m)(^\s+[^:]+:)\s+-?$/\1/g s/(?m)(^\s+[^:]+:)\s+-?$/\1/g s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g

Returns most of the space savings XML would provide

SEDCMD-clean1 = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2 = s/Certificate information is only[\S\s\r\n]+$//g

addresses most of the Ipv6 log event issues

SEDCMD-clean3 = s/::ffff://g

FIX #1

SEDCMD-clean4 = s/Token Elevation Type indicates[\S\s\r\n]+$//g

TRANSFORMS-set-null=set_parsing,set_null

TRANSFORMS-set-exclude=set_nullqueue

transforms.conf:

[Target_Server_Name_as_dest_nt_host]
SOURCE_KEY = Target_Server_Name
REGEX = ^(?!localhost)([\]+)?([^-].*)
FORMAT = dest_nt_host::"$2"

[Target_Server_Name_as_dest]
SOURCE_KEY = Target_Server_Name
REGEX = ^(?!localhost)([\]+)?([^-].*)
FORMAT = dest::"$2"

[set_parsing]
REGEX= .
DEST_KEY=queue
FORMAT=indexQueue

[set_null]
REGEX=(?ms)EventCode=4663.*Accesses:\sReadData\s(or\sListDirectory)
DEST_KEY=queue
FORMAT=nullQueue

[set_nullqueue]
REGEX=C:\Program Files\SplunkUniversalForwarder\bin\*
DEST_KEY=queue
FORMAT=nullQueue

Hi kiran331,
Parentheses are special characters for regex so you must put a backslash before them where they are in the search string.
So the regex of set_null stanza is

(?ms)EventCode\=4663.*Accesses:\sReadData\s\(or\sListDirectory\)

Bye.
Giuseppe

I tried below, its not working, did I miss anything?

props.conf

TRANSFORMS-set-null=set_null

transforms.conf

[set_null]
REGEX="(?msi)EventCode=4663.*readdata|EventCode=4663.*listdirectory"
DEST_KEY=queue
FORMAT=nullQueue

Try this regex instead.

(EventCode=4663*.readdata|EventCode=4663.*listdirectory)

I tried, its not working.

[set_null_1]
REGEX=EventCode=4663.*readdata
DEST_KEY=queue
FORMAT=nullQueue

[set_null_2]
REGEX=EventCode=4663.*listdirectory
DEST_KEY=queue
FORMAT=nullQueue

try two seperate stanza's and call them out in props. Sometimes regex is funky with the ".*" and "|" matches in preindexing.

I tried, its not filtering out the events, I'm also using one more regex to filter out splunk events, May be this is caousing the issue.

props.conf:

TRANSFORMS-set-exclude=set_exclude,set_nullqueue

TRANSFORMS-set-null1=set_null_1

TRANSFORMS-set-null2=set_null_2

transforms.conf:

[set_exclude]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

[set_nullqueue]
REGEX=C:\Program Files\SplunkUniversalForwarder\bin\*
DEST_KEY=queue
FORMAT=nullQueue

[set_null_1]
REGEX=EventCode=4663.*readdata
DEST_KEY=queue
FORMAT=nullQueue

[set_null_2]
REGEX=EventCode=4663.*listdirectory
DEST_KEY=queue
FORMAT=nullQueue

Did you restart splunkd after making these changes?

yes, I restarted all Indexers

As a test, remove the ".* " and everything after it from your regexes and see if that works.

I removed everything after EventCode, it filtered out all Event with 4663.

[set_remove]
REGEX = EventCode=4663
DEST_KEY=queue
FORMAT=nullQueue

is it filtering out all of those events?

yes, it filtering all events with 4663 Eventcodes, but I have filter out with Accesses: ReadData (or ListDirectory)

yeah, so you'll need to find the right RegEx match to filter out what you need. I use .* or .+ in my extractions, but for some reason, during pre-indexing Splunk doesn't like those big wildcards.