Getting Data In

Event Filtering not working


We are trying to filter events from the Windows Event Log that are pulled using WMI.

Here is the transforms.conf:

REGEX = (?m)^EventCode=(538|562|571|573|576|577|578|672|680|4634|4658|4672|4673|4674|4690|4772|4776|5156)
DEST_KEY = queue
FORMAT = nullQueue

Here is the props.conf:

EXTRACT-db_user = (?i) user '(?P<db_user>[^']*)'

But if I do a search of the security log and use | regex _raw="(?m)^EventCode=(538|562|571|573|576|577|578|672|680|4634|4658|4672|4673|4674|4690|4772|4776|5156)", I am seeing events that should have been filtered.

Any idea what the problem is? It was working prior to the upgrade to 4.x

Tags (1)
0 Karma


You most certainly can filter wmi events. The method, which is to reference the wmi sourcetype, is discussed in this post:

Splunk Employee
Splunk Employee

I am surprised that it used to work, because a props.conf rule on [WMI:WinEventLog:Security] does not get invoked at index time (so TRANSFORMS) will not work. This is because the sourcetype of data collected via WMI is not set until index time, so when rules are selected that one will not work. (It does work for search time rules, e.g., REPORT.) The sourcetype at that point is just wmi, and this applies to all WMI-collected data.

0 Karma


Then what is the best practice for filtering events collected with WMI?

0 Karma

Super Champion

Is your sourcetype correct? I'm not familiar with collecting event logs via WMI (which if I understand correctly, is not recommended.) So if your sourcetype is wrong, then that would certainly cause a problem.

Update: Based on gkanapathy note. You could simply use the sourcetype of wmi. That's a lot of overhead if your collecting a fair about of WMI events though. If you use the WinEventLog inputs directly (instead of pulling them via WMI), then you could use the sourcetype of [WinEventLog:Security] (since the windows event logs are not assigned a sourcetype dynamically like the wmi events are) so this would be more efficient because your transformer would run for fewer events.

If you have to collect these using WMI, you may also want to consider also making your regex match wmi_type=WinEventLog:Security which would prevent your regex from matching against other Application or System logs, but then again that will make the regex-overhead even higher....

Side note: One thing I would certainly suggested is that you update your REGEX to ensure that whatever comes after your code isn't another digit. For example, you want to block 538 but not necessarily 5381 or 5389999999 (I'm not that familiar with all the different codes here, but it certainly seems like you could be matching more than you want.)

REGEX = (?m)^EventCode=(538|562|571|573|576|577|578|672|680|4634|4658|4672|4673|4674|4690|4772|4776|5156)\b
0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...