https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84236#M17500 <P>Okay, I've made all the changes but it still archiving any log!</P> <P>Switching the props.conf in wmi:WinEventLog:Security it stops working totally.</P> Tue, 06 Mar 2012 17:27:27 GMT pmelchiori 2012-03-06T17:27:27Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84232#M17496 <P>I'm looking for a way to filter all the log eventlog from certain user's group (SYSTEM and Administrator), but all my test going bad <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>(splunk 4.1.6)</P> <P><STRONG>prof.conf:</STRONG></P> <PRE><CODE>[wmi] TRANSFORMS-wminull = wmi-null, wmi-parsing </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[wmi-null] REGEX = . DEST_KEY = queue FORMAT = nullQueue [wmi-parsing] REGEX = (?m)^User=(SYSTEM|Administrator) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 05 Mar 2012 16:22:05 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84232#M17496 pmelchiori 2012-03-05T16:22:05Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84233#M17497 <P>did you try the followings:</P> <PRE><CODE>REGEX = (.) </CODE></PRE> <P>AND/OR</P> <PRE><CODE>REGEX = (?msi)^User=(SYSTEM|Administrator) </CODE></PRE> Mon, 05 Mar 2012 20:52:05 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84233#M17497 MarioM 2012-03-05T20:52:05Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84234#M17498 <P>Yes, it does't filter anything, I can see all the logs in Splunk.</P> Tue, 06 Mar 2012 14:28:41 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84234#M17498 pmelchiori 2012-03-06T14:28:41Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84235#M17499 <P>pmelchiori,</P> <P>It looks like you have the syntax mostly right, but you need to check a few things.</P> <P>Is the sourcetype that you want to drop just "wmi" or is it "wmi:WinEventLog:Security" etc? Make sure this is explicit.</P> <P>Additionally, your transform will apply to a SOURCE_KEY = _raw unless otherwise stated. Your _raw will probably be equal to the entire event. That would mean that the string "user=XXX" is NOT at the beginning of the event, and therefore you don't want the carat "^" in your regex.</P> <P>Finally, you have two transforms, that do two different things. The top one has a REGEX = (.).<BR /> In Regex, a dot "." means match any single character. So, this will match anything and mark it all to the nullQueue. I am not sure your intention here, but you may want to adjust this or maybe even omit the first transform in lieu of the second.</P> <P>Check the sourcetype, check your transforms, fix that in props.conf and then remove your carat and see how that goes.</P> <P>Best,</P> <P>Sean</P> Tue, 06 Mar 2012 15:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84235#M17499 sdwilkerson 2012-03-06T15:09:26Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84236#M17500 <P>Okay, I've made all the changes but it still archiving any log!</P> <P>Switching the props.conf in wmi:WinEventLog:Security it stops working totally.</P> Tue, 06 Mar 2012 17:27:27 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84236#M17500 pmelchiori 2012-03-06T17:27:27Z https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84237#M17501 <P>See my updated answer above.</P> Wed, 07 Mar 2012 01:38:58 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-filtering-only-eventlog-from-some-users/m-p/84237#M17501 sdwilkerson 2012-03-07T01:38:58Z