splunk 4.3.3 indexer filtering issue

Question

Im having some issues filtering / ignoring some events in splunk on an indexer.

Im running a splunk 4.3.3 indexer on ubuntu 12.04 and its working well receiving inputs from remote syslog hosts and a windows host running splunkforwarder-4.3.3-128297-x86-release

The issue is, Id like to filter out some events. Following a doc here...

Filter windows events on indexer from a universal forwarder http://splunk-base.splunk.com/answers/24310/filter-windows-events-on-indexer-from-a-universal-forwarder

I can successfully filter out the security events but for whatever reason the system event 10060 are still comming thru

root@box:/home/msbren# cat /opt/splunk/etc/system/local/transforms.conf
[FilterSecurityEvents]

REGEX=(?msi)^EventCode=(4634|4624|4769|515|577)

DEST_KEY=queue

FORMAT=nullQueue


[FilterSystemEvents]

REGEX=^EventCode=10016

DEST_KEY=queue

FORMAT=nullQueue


root@box:/home/msbren# cat /opt/splunk/etc/system/local/props.conf
[WinEventLog:Security]

TRANSFORMS-Filter_Events = FilterSecurityEvents

[WinEventLog:System]

TRANSFORMS-Filter_Events = FilterSystemEvents

root@box:/home/msbren#

From what I understand Im doing things correct , so I must be missing something. If anyone has any advice Id be very appreciative.

-Mike

Adrian Hall Adrian Hall · Accepted Answer · 2012-10-01T01:19:49

To add on to MHibbins comment, you need to remove the ^ before the EventCode as the EventCode is in the middle of the event. Check out the splunk Blog post at http://blogs.splunk.com/2012/09/21/the-splunk-app-for-active-directory-and-how-i-tamed-the-security-log/ for a detailed process on this.

splunk 4.3.3 indexer filtering issue

2 Answers