Skip to main content
 
 
 
Splunk Lantern

Using ingest actions to filter Windows event logs

 

Windows event logs can pose challenges for Splunk platform users because of their volume and complexity. These logs, while rich in information, can inundate environments, producing a lot of noise and leading to inefficiencies. This article introduces a strategic approach to filter Windows event logs using ingest actions, ensuring that only relevant data reaches your environment, enhancing query efficiency and speeding up delivery of results.

Solution

You can manage these logs more easily by focusing on data quality through targeted ingestion, ensuring that only relevant, clean data is processed. Ingest actions offers a sophisticated toolkit for refining data at the point of ingestion. This feature allows you to selectively process logs based on predefined criteria, significantly improving data quality and operational efficiency.

To set up ingest actions, you should follow the specific ingest actions requirements for your environment. See instructions for Splunk Enterprise or Splunk Cloud Platform. For comprehensive details and guidelines on the prerequisites and capabilities of ingest actions, see Ingest actions requirements.

Configuring ingest actions

To follow the steps below, you'll need to ensure the Windows Add-on for Splunk is installed and configured, as well as verify that you have access to ingest actions with appropriate role permissions.

The ingest action rules recommended here are directly drawn from Splunk's best practices for Windows event log cleanup. The steps below translate these recommended transformations into practical ingest actions rulesets for efficient log management.

  1. Access ingest actions: Navigate to Settings > Data > Ingest Actions.
  2. Initiate masking: Select Mask with regular expression to start the filtering process.
  3. Access rule sets: Open the IA Win event rule set gist to view all available translation rules.
  4. Select data source: Identify and select the appropriate source for your logs, such as WinEventLog:System.
  5. Apply regex: Choose the relevant regex pattern that aligns with the data you want to mask.
  6. Configure replacement: In the replacement field, enter a blank space to effectively remove the matched strings.
  7. Verification: Ensure that the regex correctly matches and replaces the targeted strings with a blank space.

    If you are already implementing Windows event filtering via props.conf for the Splunk Add-On for Windows, you will not see any changes or any matches during the verification steps. In this case you can choose to stay with the current configuration, or move to using ingest actions.

By following these steps, you've successfully configured ingest actions to filter out unnecessary verbosity from Windows event logs, streamlining your data before it enters the Splunk platform.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.