Solved: Cannot filter WMI events to nullQueue in 4.2.x

Ellen · ‎06-13-2011

I am sending some events to the nullQueue and it used to work in 4.0.x and 4.1.x, but now it is not sending any events to nullQueue. I have the following configuration:

props.conf
[wmi] 
TRANSFORMS-nuke=wmi2nullQ

transforms.conf 
[wmi2nullQ] 
REGEX=(?im)(CategoryString=Logoff)[^$]+\s+(EventIdentifier=4634)
DEST_KEY = queue
FORMAT = nullQueue

Why does this no longer work? Nothing has changed since applying a newer 4.2.x release.

Ellen · ‎06-13-2011

In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]

With 4.2.x you must use the actual sourcetype name.

For example:

[WMI:WinEventLog:Security]

TRANSFORMS-send2nullq= wmi2nullQ

View solution in original post

Ellen · ‎06-13-2011

In 4.0.x and 4.1.x the stanza in props.conf had to be [wmi]

With 4.2.x you must use the actual sourcetype name.

For example:

[WMI:WinEventLog:Security]

TRANSFORMS-send2nullq= wmi2nullQ

Cannot filter WMI events to nullQueue in 4.2.x

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation