https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71043#M14446 <P>Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?</P> <P>If it's from local ones, you should use a stanza of</P> <P><CODE>[WinEventLog:Security]</CODE></P> <P>Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec</P> <P><CODE>[source::WMI:WinEventLog:Security]</CODE></P> <P>Also, I'd change the transform names to <CODE>allwminull</CODE> and <CODE>successwminull</CODE> or similar. As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.</P> Mon, 18 Oct 2010 18:07:44 GMT dart 2010-10-18T18:07:44Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71042#M14445 <P>Hi,</P> <P>My previous configuration to filter windows event codes doesn't work when I used it on another machine that is pulling data via WMI. My objective is to filter off event codes 538,540,672,673,861 and "Success Audit" type for code 578.</P> <P>My existing configuration is:<BR /> props.conf </P> <PRE><CODE>[wmi] TRANSFORMS-null = setnullevents, setparsing </CODE></PRE> <P>transforms.conf </P> <PRE><CODE>[setnullevents] REGEX = (?m)^EventCode=(538|540|672|673|861)\b DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (?msi)^EventCode=578.*^(Type=Audit Success) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Any idea what I've missed?</P> Fri, 15 Oct 2010 08:58:07 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71042#M14445 remy06 2010-10-15T08:58:07Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71043#M14446 <P>Can you clarify your input configuration? Are you pulling events from remote eventlogs or from local ones?</P> <P>If it's from local ones, you should use a stanza of</P> <P><CODE>[WinEventLog:Security]</CODE></P> <P>Also, if you're forwarding, then it will not use the wmi stanza on the recieving end, only the sending, so you'll need the proper spec</P> <P><CODE>[source::WMI:WinEventLog:Security]</CODE></P> <P>Also, I'd change the transform names to <CODE>allwminull</CODE> and <CODE>successwminull</CODE> or similar. As you're not setting the default to null and then rescuing the events you care about, which is what the original sample names are for.</P> Mon, 18 Oct 2010 18:07:44 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71043#M14446 dart 2010-10-18T18:07:44Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71044#M14447 <P>There are 3 machines, hostA,hostB(both windows) &amp; splunk indexer(linux). </P> <P>I have splunk installed on hostB and have configured with the above scripts to pull event logs from hostA, and then forward them to Splunk indexer.</P> Tue, 19 Oct 2010 10:20:19 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71044#M14447 remy06 2010-10-19T10:20:19Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71045#M14448 <P>don't know why but after I meddle around with the naming..it seems to work after that..</P> <P><CODE> props.conf [wmi]<BR /> TRANSFORMS-wminull = wmi-null, wmi-parsing</CODE></P> <P><CODE> [wmi-null]<BR /> REGEX = (?msi)^EventCode=(538|540|672|673|861)\b<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE> </P> <P><CODE> [wmi-parsing]<BR /> REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> Wed, 20 Oct 2010 10:59:32 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-working-after-switching-to-WMI-pull/m-p/71045#M14448 remy06 2010-10-20T10:59:32Z