Follow-up (ish) to https://answers.splunk.com/answers/757315/why-isnt-my-transforms-working.html as I let it sit idle for a while.
I want to index Event Code 4688: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688 Problem is that it generates a high volume of events. I determined I can filter the field **Security_ID** for values starting with *S-1-5-21-* (includes real users only). I want this to apply only to event code 4688. All other events should process normally.
**inputs.conf (forwarder app)**
[WinEventLog://Security]
disabled = 0
index = test
interval = 60
blacklist = 4688
[WinEventLog://Security]
disabled = 0
index = test
interval = 60
whitelist = 4688
sourcetype = Security4688
**\etc\apps\myapp\local\props.conf**
[Security4688]
TRANSFORMS-set = setnull,useronly4688
**\etc\apps\myapp\local\transforms.conf**
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[useronly4688]
REGEX = S-1-5-21-
DEST_KEY = queue
FORMAT = indexQueue
My thought was to have the forwarder change the sourcetype of event 4688, and leave all others alone. On the server, props can use that sourcetype to only use the regular expression on event 4688, and send non-matches to nullQueue. What's wrong here? Is it my use of duplicate stanzas?
↧