InTrust Real-Time Collection and Splunk Forward Filter

When you create forward filter to forwarder list of event id’s to SPLUNK, you can say Account Name choose don’t forward anything that ends with $ this will not forward for all event ID’s, but if you want to forward anything that ends with $ for one or two event id in your list. How do you create the filter so it will forwarder everything including anything that ends with $ for that specific event id? I don’t see option in InTrust 11.4.

  • Hi Payank,

    You can use Custom query in Repository Viewer.

    1. Create a new Search under Custom Search Folders node
    2. Click Add or Remove Parameters in Search Filter
    3. Switch to Primary set
    4. Choose Custom
    5. Close Filter Parameters window
    6. Drag the Search Filter upper border up (increase the height of the Search Filter area) so that Custom filter with "true" value become visible
    7. Instead of true paste the following query: (not(in_range(EventID, "4672-4674,4688")) and (not(in(Account_Name,"bi",".*\\$")))) or in_range(EventID, "4672-4674,4688")
    8. Change 4672-4674,4688 (twice, in the beginning and at the end) to EventID's you want to appear with any Account Names including $. You can combine EventID ranges with - and EventIDs.

    For the functions used in the query you can refer to InTrust documentation: https://support.quest.com/technical-documents/intrust/11.4/customization-kit/7#TOPIC-867121