automine

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"

automine

[replicationSettings] 
sendRcvTimeout = 120

automine

Masa Diagram in Mermaid

flowchart TB
    

    subgraph tail
        TailReader("TailReader (tailing)")
    end
    

automine

flowchart TD
subgraph IDX

        TCP("TCP/UDP") -- Uncooked --> pQ
        TCP -- Cooked --> rulesetQ
        TailReader("TailReader") --> pQ
        
        
        fifo("FifoInput") --> pQ

automine

Original version is here, I just wanted something easier to read.

Config	Default	Max Recommended	Purpose	When to use

automine

[WinEventLog:Security]
#Returns most of the space savings XML would provide
SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g
SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g
SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean3-blank_ipv6 = s/::ffff://g
SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g
SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g
SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g

automine

version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:6.6.3
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'
    ports:

automine

template("$(format-welf ISODATE DATE SOURCEIP HOST ORIG_HOST PROGRAM PID MSGID SDATA MSGHDR MESSAGE FACILITY PRIORITY)\n");
template t_splunk_kv { template("ISODATE=\"${ISODATE}\", DATE=\"${DATE}\", SOURCEIP=\"${SOURCEIP}\", HOST=\"${HOST}\", ORIG_HOST=\"${ORIG_HOST}\", PROGRAM=\"${PROGRAM}\", PID=\"${PID}\", MSGID=\"${MSGID}\", SDATA=\"${SDATA}\", MSGHDR=\"${MSGHDR}\", MESSAGE=\"${MESSAGE}\", FACILITY=\"${FACILITY}\", PRIORITY=\"${PRIORITY}\"\n"); template_escape(no); };

automine

version: '3'

services:
  splunksh:
    hostname: splunksh
    image: splunk/splunk:7.1.2
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes --no-prompt --seed-passwd changed123
      SPLUNK_USER: root
      OPTIMISTIC_ABOUT_FILE_LOCKING: '1'

automine

You should use this: https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml