https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55703#M10887 <P>I have installed the heavy forwarder on a windows machine in order to filter Windows Event Log events . I would like to forward only events of Type=Warning and Type=Error<BR /> But it doesn't work<BR /> I have created a file props.conf and a file transforms.conf<BR /> where should I put these files ? In $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps/SplunkForwarder/local ?<BR /> Can somebody help me because I am working on this since several days without any solution. Thanks</P> <P>The content of props.conf is :<BR /> [WMI:WinEventLog:Security]<BR /> TRANSFORMS-wmi=FilterSec<BR /> [WMI:WinEventLog:System]<BR /> TRANSFORMS-wmi=FilterSys<BR /> [WMI:WinEventLog:Application]<BR /> TRANSFORMS-wmi=FilterApp</P> <P>Content of transforms.conf:<BR /> [FilterSys]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> <P>[FilterSec]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> <P>[FilterApp]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> Mon, 28 Sep 2020 13:28:40 GMT alain_bettiol 2020-09-28T13:28:40Z https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55703#M10887 <P>I have installed the heavy forwarder on a windows machine in order to filter Windows Event Log events . I would like to forward only events of Type=Warning and Type=Error<BR /> But it doesn't work<BR /> I have created a file props.conf and a file transforms.conf<BR /> where should I put these files ? In $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps/SplunkForwarder/local ?<BR /> Can somebody help me because I am working on this since several days without any solution. Thanks</P> <P>The content of props.conf is :<BR /> [WMI:WinEventLog:Security]<BR /> TRANSFORMS-wmi=FilterSec<BR /> [WMI:WinEventLog:System]<BR /> TRANSFORMS-wmi=FilterSys<BR /> [WMI:WinEventLog:Application]<BR /> TRANSFORMS-wmi=FilterApp</P> <P>Content of transforms.conf:<BR /> [FilterSys]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> <P>[FilterSec]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> <P>[FilterApp]<BR /> REGEX= (?msi)^Type=Information<BR /> DEST_KEY= queue<BR /> FORMAT= nullQueue</P> Mon, 28 Sep 2020 13:28:40 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55703#M10887 alain_bettiol 2020-09-28T13:28:40Z https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55704#M10888 <P>Verify what is the exact final sourcetype of your events with a search.</P> <P>I suspect that your props stanza should be like :<BR /> <CODE>[WinEventLog:Security]</CODE></P> Fri, 08 Mar 2013 15:24:28 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55704#M10888 yannK 2013-03-08T15:24:28Z https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55705#M10889 <P>You were right, it seems to work now.<BR /> I have used this stanza [WinEventLog:..] insteadof [WMI:WinEventLog:..] and now it works. I hve also moved props.conf and transforms.conf into folder $SPLUNK_HOME/apps/SplunkForwarder/etc/local otherwise it doesn't work.</P> <P>Thanks for your help</P> Tue, 12 Mar 2013 08:03:16 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55705#M10889 alain_bettiol 2013-03-12T08:03:16Z https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55706#M10890 <P>I have wrecked my brains over this and still can't get it to work!! Here are my config files</P> <P><STRONG>Inputs.conf</STRONG></P> <P>[WinEventLog:Application]</P> <P>disabled = 0</P> <P>[WinEventLog:System]</P> <P>disabled = 0</P> <P><STRONG>props.conf</STRONG></P> <P>[WinEventLog:Application] </P> <P>TRANSFORMS-wmi = FitlerApp</P> <P>[WinEventLog:System]</P> <P>TRANSFORMS-wmi = FilterSys</P> <P><STRONG>transforms.conf</STRONG></P> <P>[FilterApp]</P> <P>REGEX = (?msi)^Type=Information</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[FilterSys]</P> <P>REGEX = (?msi)^Type=Information</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>I was putting all of these files in C:\Program Files\Splunk\etc\system\local but after reading alain_bettiol post, I moved the transforms.conf and props.conf files into C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local and it still doesn't work! What am I doing wrong? Please advise!</P> Fri, 21 Feb 2014 12:13:35 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filter-doesn-t-work/m-p/55706#M10890 DukeHazord 2014-02-21T12:13:35Z