https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88440#M18330 <P>You can't do this on a universal forwarder. It needs to happen where the data is parsed, which is either at the indexer or the heavy forwarder acting as an intermediate forwarder. </P> Mon, 02 Jul 2012 15:52:20 GMT jbsplunk 2012-07-02T15:52:20Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88438#M18328 <P>I am trying to filter events, and am not having any luck.</P> <P>Log info in Splunk:<BR /> LogName=System<BR /> SourceName=Microsoft-Windows-Service Control Manager<BR /> EventCode=7036<BR /> EventType=4<BR /> Type=Information<BR /> ComputerName=xxNAMExx<BR /> TaskCategory=The operation completed successfully.<BR /> OpCode=The operation completed successfully.<BR /> RecordNumber=29077<BR /> Keywords=Classic<BR /> Message=The WMI Performance Adapter service entered the stopped state.</P> <P>these files have been changed on the machine that forwards the data. </P> <P>props.conf<BR /> [WMI:WinEventLog:System]<BR /> TRANSFORMS-wmi=wminull</P> <P>transforms.conf<BR /> [wminull]<BR /> REGEX=(?m)^EventCode=(7036)<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>what am i missing?<BR /> thanks</P> Mon, 02 Jul 2012 14:35:02 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88438#M18328 jdonovan 2012-07-02T14:35:02Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88439#M18329 <P>i am using a universal forwarder, if that matters and spunk version 4.3</P> Mon, 02 Jul 2012 14:43:33 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88439#M18329 jdonovan 2012-07-02T14:43:33Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88440#M18330 <P>You can't do this on a universal forwarder. It needs to happen where the data is parsed, which is either at the indexer or the heavy forwarder acting as an intermediate forwarder. </P> Mon, 02 Jul 2012 15:52:20 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88440#M18330 jbsplunk 2012-07-02T15:52:20Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88441#M18331 <P>i saw that after looking for a different way to do this. the problem is we want to limit what gets sent to the indexer because of the bandwidth usage. changing forwarders would not be an option as we have 800+ clients forwarding data. are there any other ways to limit what is sent?</P> Mon, 02 Jul 2012 16:39:08 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88441#M18331 jdonovan 2012-07-02T16:39:08Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88442#M18332 <P>There are not any ways to further limit which system events are sent. You could remove the system events completely, but if you only want to have certain system events, those have to be thrown out at the indexer.</P> Mon, 02 Jul 2012 17:24:03 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88442#M18332 jbsplunk 2012-07-02T17:24:03Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88443#M18333 <P>Sending things to the nullQueue can only happen at parse time. You might consider tuning down some of the "interval" settings in wmi.conf, however</P> Mon, 02 Jul 2012 20:56:51 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88443#M18333 sowings 2012-07-02T20:56:51Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88444#M18334 <P>Can this be a feature request? Why saturate the network and bog down the indexer with events that you do not even want?</P> Fri, 21 Jun 2013 20:29:26 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Events/m-p/88444#M18334 erstexas 2013-06-21T20:29:26Z