I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:Program FilesSplunketcsystemlocal I have the following configuration:
[FilterSecurityEvents] REGEX = (?m)EventCode=(5156) DEST_KEY = queue FORMAT = nullQueue
In the props.conf file which also resides in C:Program FilesSplunketcsystemlocal I have the following entry:
[WinEventLog:Security] TRANSFORMS-Filter_Events = FilterSecurityEvents
I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?
From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)