So I'm indexing the security log entries from my ADs but they are pretty big. I figured out how to route the entries I want to the null queue (entries for successful login and logoff are very noisy: event codes 4634 and 4624).
However, all of the extracted fields aren't available in the sidebar any longer, making it more difficult to drill down (see link to caveats below).
Aside from changing what gets audited by the security log on the AD servers, is there a different way to prevent the successful logon and logoff entries from being indexed and thereby counting against my quota?
docs (dot) splunk (dot) com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Caveats_for_routing_and_filtering_structured_data
----------
props.conf
[source::WMI...]
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
TRANSFORMS-FIELDS = wmi-host, wmi-override-host
SHOULD_LINEMERGE = false
#I added the following line. The above was already there#
TRANSFORMS-null= setnull
----------
transforms.conf
[setnull]
REGEX = 4634|4624
DEST_KEY = queue
FORMAT = nullQueue
↧