https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49849#M9463 <P>Never mind, i feel very very very stupid! For everyone who doesn't have a good configures GPO, uncheck the hide extentions for known file types and don't work with notepad!!!</P> Fri, 25 Feb 2011 00:36:38 GMT CerielTjuh 2011-02-25T00:36:38Z https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49848#M9462 <P><STRONG>Realization (Actions executed leading to the disruption):</STRONG></P> <P>We are currently trying to poll Windows 2008 servers with Splunk-wmi. As you know Windows 2008 generates a lot of eventlog messages and to stay within our 2GB/a day limit we want to filter out some data before sending it to the general indexer. We are currently using a demo splunk license to test it out before we are putting it into production. I have created a wmi poll using the Splunk data input wizard and I am getting the results in Splunk. My next step was to start filtering out events with an eventcode=5156 filter using a props.conf and transforms.conf file but I am not able to "filter out" the events.</P> <P><STRONG>Recreation (Could the disruption be recreated? If yes, please provide a exact step by step scenario):</STRONG></P> <P>---props.conf---</P> <P>[wmi]</P> <P>TRANSFORMS-null = wmi-null</P> <P>---transforms.conf---</P> <P>[wmi-null]</P> <P>REGEX=EventCode=(5156)</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>I know there are a lot of topics about this subject but somehow I am to stupid to get this working with the examples given by other users...</P> Thu, 24 Feb 2011 23:56:48 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49848#M9462 CerielTjuh 2011-02-24T23:56:48Z https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49849#M9463 <P>Never mind, i feel very very very stupid! For everyone who doesn't have a good configures GPO, uncheck the hide extentions for known file types and don't work with notepad!!!</P> Fri, 25 Feb 2011 00:36:38 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49849#M9463 CerielTjuh 2011-02-25T00:36:38Z https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49850#M9464 <P>Don't save your config files as .conf.txt....</P> Fri, 25 Feb 2011 00:37:13 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49850#M9464 CerielTjuh 2011-02-25T00:37:13Z https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49851#M9465 <P>this is so true.</P> Sat, 02 Apr 2011 08:15:01 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49851#M9465 yannK 2011-04-02T08:15:01Z https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49852#M9466 <P>Beware the sourcetype is different between versions of splunk/windows app</P> <UL> <LI>old one is [wmi] </LI> <LI>new is [WMI:WinEventLog:Security]</LI> </UL> <P>see <A href="http://splunk-base.splunk.com/answers/26192/cannot-filter-wmi-events-to-nullqueue-in-42x">http://splunk-base.splunk.com/answers/26192/cannot-filter-wmi-events-to-nullqueue-in-42x</A></P> Wed, 29 Jun 2011 19:41:28 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-EventLog-Filtering/m-p/49852#M9466 yannK 2011-06-29T19:41:28Z