Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter all windows event logs from single server

timmy13
Communicator
‎06-14-2012 08:57 AM

I need to filter all windows event log records from being indexed. I am using the universal forwarder, so on my indexers, I have the following:

props.conf

[host::myserver]
TRANSFORMS-winlogs = FilterWinSecurityLogs

transforms.conf

[FilterWinSecurityLogs]
REGEX=sourcetype=(WMI*|WinEvent*)
DEST_KEY=queue
FORMAT=nullQueue

THis doesn't seem to work.

Is the * wildcard valid in the REGEX valid?

Thanks!

Tags (2)
0 Karma
Reply

timmy13
Communicator
‎06-15-2012 08:08 AM

That would disable it across all windows servers. I just need it for ONE server. My transforms currently looks like this but is not working

[FilterAllWMILogs]
SOURCE_KEY = sourcetype
REGEX = .*WMI*
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

timmy13
Communicator
‎06-18-2012 07:22 AM

`props.conf:

[host::myserver]
TRANSFORMS-winlogs = FilterAllWMILogs

transforms.conf:

[FilterAllWMILogs]
SOURCE_KEY = sourcetype
REGEX = .*WMI*
DEST_KEY = queue
FORMAT = nullQueue`

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-17-2012 01:11 PM

Hm. that SHOULD work, even if I would say that the REGEX should be;

REGEX = .xWMI.x

Where the x's above are asterisks. sorry about the formatting.

Are you referencing it correctly from props.conf (I saw you had changed the name of the transforms stanza).

I haven't used this type of transform myself, but I don't see why this should pose any real problems.

/K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-17-2012 10:29 AM

Are you using the Deployment Server, and have all input configurations in the same deployed app?

/k

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-14-2012 09:41 AM

The best would naturally be to disable the monitoring on the host in question.

If this (for some odd reason) is NOT the way to go, then you should alter the transforms stanza like so;

[FilterWinSecurityLogs]
SOURCE_KEY = sourcetype
REGEX = .*WinEventLog.*
DEST_KEY = queue
FORMAT = nullQueue

Hope this helps,

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-14-2012 10:24 AM

Well, I didn't mean that you should disable ALL monitoring, just the WinEventLog stuff.

Just find your inputs.conf and add disabled=1 to the WinEventLog stanza(s).

/k

0 Karma
Reply

timmy13
Communicator
‎06-14-2012 10:17 AM

No, I do not wish to disable monitoring as we still need application logs from this server. I'll give your suggest a shot, thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...