topic Re: How do I exclude some windows events from being indexed?? in Getting Data In

How do I exclude some windows events from being indexed??

pstamati — Mon, 09 May 2011 18:27:27 GMT

Hi all!.
I'm new with Splunk. I´m trying to exclude some events from being indexed but I really don´t know where to start. Where do i need to exclude these events IDs? For example, events 576, 576, 538, 540, etc.

Many thanks in advance

Re: How do I exclude some windows events from being indexed??

jbsplunk — Mon, 09 May 2011 18:48:07 GMT

Hello,

You should review the following link, there is an example of this which can be found here:

http://www.splunk.com/base/Documentation/latest/Deploy/Routeandfilterdatad

Filter WMI events

To filter on WMI events, you must use the [wmi] source type stanza in props.conf. The following example uses regex to filter out two Windows event codes, 592 and 593:

In props.conf:

[wmi]
TRANSFORMS-wmi=wminull

In transforms.conf:

[wminull]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue

Re: How do I exclude some windows events from being indexed??

pstamati — Tue, 10 May 2011 15:21:16 GMT

Maybe I'm doing something wrong. It Doesn't appear to be working. I modified both files adding the text you posted but events are still being indexed.
Should I modified something else? Is there any other component that must be enabled to do this?
Regards

Re: How do I exclude some windows events from being indexed??

jbsplunk — Tue, 10 May 2011 15:38:01 GMT

Where are you trying to do this? On an Indexer? How is this data making it into Splunk? These settings should be implemented where the data is actually parsed. So, maybe that is the story? Also, what version of splunk is this? This was broken in 4.2, fixed in 4.2.1

Re: How do I exclude some windows events from being indexed??

pstamati — Tue, 10 May 2011 16:50:20 GMT

I have the trial version actually. I Modified the files from
c:\program files\Splunk\etc\system\default. This is what you asked for?

Re: How do I exclude some windows events from being indexed??

jbsplunk — Tue, 10 May 2011 16:54:58 GMT

It is probably better to add comments vs adding in your comments as new answers. That being said, changes should be made into $SPLUNK_HOME/etc/system/local. Still, not sure what version your running..'trial' is just the latest, AFAIK, so I presume its either 4.2 or 4.2.1.

FYI: http://www.splunk.com/base/Documentation/latest/admin/Aboutconfigurationfiles

'When you edit a configuration file, you should not edit the version in $SPLUNK_HOME/etc/system/default.'

Re: How do I exclude some windows events from being indexed??

pstamati — Tue, 10 May 2011 19:09:17 GMT

That works excellent!! Many thanks

Re: How do I exclude some windows events from being indexed??

ehoward — Wed, 07 Sep 2011 17:41:54 GMT

How does this apply to WMI data being collected by the universal forwarder? Do I have to create these config files locally on each system with the forwarder? I modified my configs on the Indexer and it had no effect.

Re: How do I exclude some windows events from being indexed??

yannK — Wed, 07 Sep 2011 19:51:46 GMT

Beware :

the sourcetypes are different in splunk 4.1 and splunk 4.2
see for splunk 4.2
http://docs.splunk.com/Documentation/Splunk/4.2.3/Deploy/Routeandfilterdatad#Filter_WMI_events
the props and transforms have to be setup on the server parsing the events (indexers and regular forwarders)