https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476502#M81794 <P>you can blacklist those hosts (since they've a pattern) from receiving the WMI monitoring app. <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Updating/Filterclients#Define_filters_through_serverclass.conf">https://docs.splunk.com/Documentation/Splunk/8.0.0/Updating/Filterclients#Define_filters_through_serverclass.conf</A></P> Wed, 06 Nov 2019 21:32:23 GMT somesoni2 2019-11-06T21:32:23Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476498#M81790 <P>I'm trying to send some service status that I'm collecting from a group of servers to the nullQueue. The servers where I don't want to keep the data all match a naming pattern of "host = XYZ123456"<BR /> sourcetype = WMI:Services<BR /> source = WMI:Services</P> <P>My below props and transforms are deployed to my indexers but it's not matching and the events are still being indexed.</P> <P>props.conf</P> <PRE><CODE>[WMI:Services] TRANSFORMS-wminull = nullit </CODE></PRE> <P>transforms.conf</P> <PRE><CODE> [nullit] REGEX=(?m)host\s=\s[XYZ]+\d+ DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Wed, 06 Nov 2019 18:21:22 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476498#M81790 morphis72 2019-11-06T18:21:22Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476499#M81791 <P>try using btool command to debug the issue</P> <P><CODE>./splunk cmd btool transforms list --debug</CODE></P> Wed, 06 Nov 2019 20:14:19 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476499#M81791 mayurr98 2019-11-06T20:14:19Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476500#M81792 <P>What type of Splunk is installed on the machines from where you're collecting WMI service data? Also, if you don't want to ingest any data for that sourcetype, why not just disable the input itself (it must be setup in some inputs.conf to collect that WMI data)?</P> Wed, 06 Nov 2019 20:26:48 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476500#M81792 somesoni2 2019-11-06T20:26:48Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476501#M81793 <P>7.2.4 UF on windows servers sending data to a distributed Linux spunk environment. The app I am pushing out is going to a group of servers. Some of which need to collect the WIM counters and some do not. It depends on their role.</P> Wed, 06 Nov 2019 21:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476501#M81793 morphis72 2019-11-06T21:01:36Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476502#M81794 <P>you can blacklist those hosts (since they've a pattern) from receiving the WMI monitoring app. <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Updating/Filterclients#Define_filters_through_serverclass.conf">https://docs.splunk.com/Documentation/Splunk/8.0.0/Updating/Filterclients#Define_filters_through_serverclass.conf</A></P> Wed, 06 Nov 2019 21:32:23 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476502#M81794 somesoni2 2019-11-06T21:32:23Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476503#M81795 <P>If I black listed them they wouldn't receive the rest of the monitoring that is in the app. I could split this into two apps but I was trying to keep the administration simple with one app to push out.</P> Wed, 06 Nov 2019 21:41:36 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476503#M81795 morphis72 2019-11-06T21:41:36Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476504#M81796 <P>It's either managing two apps or adding overhead during indexing (each events for that sourcetype will undergo that TRANSFORM adding overhead processing at indexer/intermediate forwarder).</P> Wed, 06 Nov 2019 21:58:54 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476504#M81796 somesoni2 2019-11-06T21:58:54Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476505#M81797 <P>If you are sure that your settings are correct, it must be something else. If you are doing a sourcetype override/overwrite, you must use the <EM>ORIGINAL</EM> value, <EM>NOT</EM> the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there. When (re)evaluating, you must send in new events (old events will stay broken), then test using <CODE>_index_earliest=-5m</CODE> to be absolutely certain that you are only examining the newly indexed events.</P> Wed, 30 Sep 2020 02:50:15 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476505#M81797 woodcock 2020-09-30T02:50:15Z https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476506#M81798 <P>Fair enough. I think I will split into two apps.</P> Fri, 08 Nov 2019 14:47:29 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-send-a-WMI-service-to-the-nullQueue/m-p/476506#M81798 morphis72 2019-11-08T14:47:29Z