https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90602#M18810 <P>You should specify the source exactly. <BR /> source::WMI:WinEventLog:Security<BR /> Use a different transform in props.conf like<BR /> TRANSFORMS-nullq5156 = dropEvent5156<BR /> The regex for that is<BR /> REGEX = (?msi)^EventCode=5156\D<BR /> WMI logs are pulled pretty much as they are generated.</P> Wed, 09 Oct 2013 17:51:25 GMT lukejadamec 2013-10-09T17:51:25Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90597#M18805 <P>We are attempting to filter out events that we do not wish to index.</P> <P>In props.conf:</P> <PRE><CODE>[source::WinEventLog:Security] TRANSFORMS-nullq=DropFilteringPlatform </CODE></PRE> <P>In transforms.conf:</P> <PRE><CODE> [DropFilteringPlatform] REGEX=(?msi)^TaskCategory=Filtering\\sPlatform DEST_KEY=queue FORMAT=nullqueue </CODE></PRE> <P>My first question is, does that look like it would filter out the Windows Platform Filtering events?</P> <P>The second question, though probably stupid is, what is the difference between null and nullq in the props.conf? I'm also curious about the queue, nullqueue, and null in transforms.conf, is there a document that explains any of that?</P> <P>The last question is, I want to pull in WMI data from any terminals that come on a specific subnet. When adding in the data to search for with WMI, is there a way to make it pull from an entire subnet?</P> <P>Thanks in advance for any help.</P> Wed, 09 Oct 2013 15:54:11 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90597#M18805 ejdavis 2013-10-09T15:54:11Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90598#M18806 <P>1) I'm not familiar with </P> <PRE><CODE>TaskCategory=Filtering\\sPlatform </CODE></PRE> <P>But it looks good if the string matches the actuall string. You can test it in a search string with regex.</P> <P>2) nullq is a tag you create for yourself to identify the TRANSFORM, whereas nullQueue is a destination defined inside Splunk to send the data 'no where'.</P> <P>3) When you specify a subnet (10.1.1.0/24) it does not throw an error, but it also does not collect data, so No. You cannot collect WMI data by subnet.</P> Wed, 09 Oct 2013 16:02:40 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90598#M18806 lukejadamec 2013-10-09T16:02:40Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90599#M18807 <P>Thank you for the quick response, makes more sense now.</P> <P>As for my last question, just as an example. Lets say I install Splunk at a remote location and I want it to pull data from a local subnet. Lets just say 10.0.0.1 - 10.0.0.255, that way if a host was added or removed it would pick it up automatically, hopefully.</P> <P>How would I input that? At the screen to add new Event Logs via WMI/remote hosts you enter one IP to pull logs from, and then you have a field to "Collect the same set of logs from additional hosts".</P> <P>I tried entering 10.0.0.* and<BR /> 10.0.0.1-10.0.0.255</P> <P>Neither worked</P> Wed, 09 Oct 2013 17:19:30 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90599#M18807 ejdavis 2013-10-09T17:19:30Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90600#M18808 <P>Some areas of splunk allow you to specify subnets in CIDR notation, but I tried that here and it did not work for me. This field apparently requires a comma separated list. An easy way to create a list would be to use Excel - enter the first 3 then just drag the rest, then save as a csv. Drag it on a row instead of a column to get them all on one line.</P> Wed, 09 Oct 2013 17:25:21 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90600#M18808 lukejadamec 2013-10-09T17:25:21Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90601#M18809 <P>Thanks again for the quick responses. I figured I may just end up having to do something similar to that.</P> <P>Back to the filtering portion, I am trying to get rid of Event Code 5156 coming from the remote hosts via WMI.</P> <P>In Splunk itself the source is listed as "WMI:WinEventLog:Security", does it need to be listed exactly that way in props.conf or does "[Source::WinEventLog:Security" still cover it?</P> <P>I don't mean to badger with questions, but how often does Splunk pull the logs via WMI?</P> Wed, 09 Oct 2013 17:43:24 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90601#M18809 ejdavis 2013-10-09T17:43:24Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90602#M18810 <P>You should specify the source exactly. <BR /> source::WMI:WinEventLog:Security<BR /> Use a different transform in props.conf like<BR /> TRANSFORMS-nullq5156 = dropEvent5156<BR /> The regex for that is<BR /> REGEX = (?msi)^EventCode=5156\D<BR /> WMI logs are pulled pretty much as they are generated.</P> Wed, 09 Oct 2013 17:51:25 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90602#M18810 lukejadamec 2013-10-09T17:51:25Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90603#M18811 <P>You really should create new questions because it helps keep things organized for searching.</P> Wed, 09 Oct 2013 17:52:16 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-Platform-Filtering-null-nullq-and-pulling-WMI-from/m-p/90603#M18811 lukejadamec 2013-10-09T17:52:16Z