Hi! I am trying to setup filtering on my Splunk server that is receiving events from the Splunk universal forwarder on a Windows 2008r2 server. The universal forwarder is configured to only forward security events and was doing so correctly.
I created /opt/splunk/etc/system/local/props.conf
[WinEventLog:Security]
TRANSFORMS-set= setnull
And /opt/splunk/etc/system/local/transforms.conf
[setnull]
REGEX = (?msi)^EventCode=(?!(515|463|462|476)\b)
DEST_KEY = queue
FORMAT = nullQueue
I found http://splunk-base.splunk.com/answers/37593/filter-events-on-indexer and based the filter off of that, but now that I have enabled the above configuration no alerts are coming through at all. Splunk hasn't indexed any events for over an hour now. I would think that I should still be receiving EventCode=4663's (for example.)
Can anyone please tell me what I am doing wrong? Thanks!