Solved: Cannot filter WMI events to nullQueue in 4.2.x

Ellen · ‎06-13-2011

I am sending some events to the nullQueue and it used to work in 4.0.x and 4.1.x, but now it is not sending any events to nullQueue. I have the following configuration:

props.conf
[wmi] 
TRANSFORMS-nuke=wmi2nullQ

transforms.conf 
[wmi2nullQ] 
REGEX=(?im)(CategoryString=Logoff)[^$]+\s+(EventIdentifier=4634)
DEST_KEY = queue
FORMAT = nullQueue

Why does this no longer work? Nothing has changed since applying a newer 4.2.x release.

Ellen · ‎06-13-2011

In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]

With 4.2.x you must use the actual sourcetype name.

For example:

[WMI:WinEventLog:Security]

TRANSFORMS-send2nullq= wmi2nullQ

View solution in original post

Ellen · ‎06-13-2011

In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]

With 4.2.x you must use the actual sourcetype name.

For example:

[WMI:WinEventLog:Security]

TRANSFORMS-send2nullq= wmi2nullQ

Cannot filter WMI events to nullQueue in 4.2.x

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation