Hello,
I am trying to exclude specific event logs from a Windows system being forwarded and indexed to Splunk.
What I need to do is to filter out an event based on the content of the event (actually for a specific user called installer).
What i did so far is:
Under props.conf of universal forwarder ($PROGRAMFILES\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\props.conf) I defined the following:
[WinEventLog:Security]
TRANSFORMS-t1=exclude-installer
and under transforms.conf on the same path the following:
[exclude-installer]
REGEX=(?s)(Account Name:\s\sinstaller)
DEST_KEY=queue
FORMAT=nullQueue
The problem is that this specific configuration does not work. Events are not filtered out...
Any suggestions?
Thank you in advance.
↧