Getting Data In

Event filtering issue

n_greder
New Member

Hello,

i'm going to be crazy !!
I have an eventlog i need to filter in order to not index some events, after many searches, and tests, nothing work.

So i try a dastric solution, disable the eventlog monitoring in the wmi.conf, and even this not work...

wmi.conf file content:

[WMI:WinEventLog:Application]

disabled = 1

I create this file in the C:\Program Files\Splunk\etc\system\local directory, restart the Splunk services, but i stil have events collected.

If even the most basic filter doesn't work, i have no hope to succeed with event filter in that eventlog.

Someone could tell me what's going wrong please ?

The main goal to this is to filter all event incoming with sourcename=Userenv
i try with a props.conf and transform.conf files, never work too.

Thx for your help

Tags (2)
0 Karma

n_greder
New Member

GREEEEEATTTTTT it's working 🙂

Thx Iguinn, i made an error in the REGEX pattern :(=

Just for information, when you said to use GUI to manage what i collect and not, you mean about filtering all WMI Application log, don't you? In this case, i would just play with the tool, it more easier with an entire logfile instead of filtering just an event.

Because, for what i know of Splunk, this is impossible to filter event from the GUI, we need to use the config files, no?

Thx anyway for your time and help 🙂

0 Karma

lguinn2
Legend

Correct - you can do many tasks with the Manager. But you can't do the filtering with the Manager, you have to manually edit props.conf and transforms.conf for filtering by event.

0 Karma

lguinn2
Legend

Part 2 - To filter data by source name:

First, look an actual event in Splunk. What does the data look like? For my example, I will assume that you can see the following string within the event:

Source=Userenv

Now, create two files, props.conf and transforms.conf. These files can go in an app, but you could also put them in $SPLUNK_HOME\etc\system\local You also need to know the exact sourcetype that is being used to index the event log; for this example, I assume that the sourcetype is WinEventLog:Application

props.conf

[WinEventLog:Application]
TRANSFORMS-re=remove-userenv-events

transforms.conf

[remove-userenv-events]
REGEX = (?m)Source\=Userenv
DEST_KEY = queue
FORMAT = nullQueue

Be careful that only the events that you want to remove have the string Source=Userenv

0 Karma

n_greder
New Member

Please need help, i don't understand why it's not working properly !!!

I try to add a local WMI collection of my Splunk server, my inputs.conf contains:

[default]
host = VM-SPLUNK

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 1

[WMI:WinEventLog:Application]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 1

[monitor://c:\Windows\WindowsUpdate.log]
disabled = 1

[WMI:LocalPhysicalDisk]
disabled = 1

No when i take a look into search dashboard, i always see event from my remote EventLog Application, and from my WMI:LocalPhysicalDisk.
I restart Splunk Process, so it's just incredible, what i miss that could explain that Splunk doesn't take into account my filters??

0 Karma

lguinn2
Legend

Once you have sorted out the actual indexing of the Event Logs, you can then set up the filtering by sourcename=Userenv

0 Karma

lguinn2
Legend

Finally, once data is in the index, it stays there. So if you stop indexing the Event Log, Splunk will not add new events, but it does not delete the events that have already been indexed.

0 Karma

lguinn2
Legend

Since you are new to Splunk, I suggest that you should be doing one or more of the following:

1) Use the GUI to manage your configuration instead of editing the configuration files directly. The GUI will help you get the configurations correct and prevent typographical errors, etc.

2) Install the Splunk for Windows app. It's free. In the Splunk Manager, go to Find More Apps Online. Pick the app(s) that you want and Splunk will install them. In the Windows app, there is a setup screen that lets you select which data you want to index.

0 Karma

n_greder
New Member

huuuuuuu i notice that my entry for WMI:WinEventLog:Application was deleted, so no chance that Splunk collect something else...

I really don't understand, i will give up with this software if i'm not able to filter anything !

0 Karma

n_greder
New Member

Ok i finaly understand what's going wrong... i have to respect the orde of rules !

Changing my input.conf like that works as i want:
[WMI:WinEventLog:Application]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

Now my remote EventLog:Application is not anymore indexes.
Ok i have to filter on event now... 🙂

0 Karma

n_greder
New Member

ERRATUM: finaly, when i disable all entries, Splunk stop to collect data... So i change the lines:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WMI:WinEventLog:Application]
disabled = 1

But WMI:WinEventLog:Application is still being indexes... I don't see how troubleshoot this behavior.

0 Karma

n_greder
New Member

HI,

thx for your help.

I installed last release of Splunk, currently i index only the WMI:WinEventLog:Application of one server.

So i have only one stanza in my wmi.conf file.
And the main goal to, is to prevent Splunk to index all event from my eventlog with the sourcename=Userenv

0 Karma

n_greder
New Member

HI,

thx for your help.

I installed last release of Splunk, currently i index only the WMI:WinEventLog:Application of one server.

So i have only one stanza in my wmi.conf file.
And the main goal to, is to prevent Splunk to index all event from my eventlog with the sourcename=Userenv

0 Karma

lguinn2
Legend

You put the disabled=1 into wmi.conf in /etc/system/local

However, disabled=1 only disables the stanza in which it appears. But it does not disable any other stanzas for sourcetype WMI:WinEventLog:Application

So, you need to find where all the stanzas that affect event logs are defined. There is probably only one other wmi.conf, but there could be more than one. You must disable the stanzas in all of them...

As for filtering events with sourcename=Userenv, I need more information to help. Are you trying only index events with sourcename=Userenv or eliminate events with sourcename=Userenv? I assume that you mean within just the Windows Application Event Log.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...