Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filtering Events

jdonovan
New Member
‎07-02-2012 07:35 AM

I am trying to filter events, and am not having any luck.

Log info in Splunk:
LogName=System
SourceName=Microsoft-Windows-Service Control Manager
EventCode=7036
EventType=4
Type=Information
ComputerName=xxNAMExx
TaskCategory=The operation completed successfully.
OpCode=The operation completed successfully.
RecordNumber=29077
Keywords=Classic
Message=The WMI Performance Adapter service entered the stopped state.

these files have been changed on the machine that forwards the data.

props.conf
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminull

transforms.conf
[wminull]
REGEX=(?m)^EventCode=(7036)
DEST_KEY=queue
FORMAT=nullQueue

what am i missing?
thanks

Tags (1)
0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-02-2012 08:52 AM

You can't do this on a universal forwarder. It needs to happen where the data is parsed, which is either at the indexer or the heavy forwarder acting as an intermediate forwarder.

Reply

erstexas
Path Finder
‎06-21-2013 01:29 PM

Can this be a feature request? Why saturate the network and bog down the indexer with events that you do not even want?

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎07-02-2012 01:56 PM

Sending things to the nullQueue can only happen at parse time. You might consider tuning down some of the "interval" settings in wmi.conf, however

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-02-2012 10:24 AM

There are not any ways to further limit which system events are sent. You could remove the system events completely, but if you only want to have certain system events, those have to be thrown out at the indexer.

0 Karma
Reply

jdonovan
New Member
‎07-02-2012 09:39 AM

i saw that after looking for a different way to do this. the problem is we want to limit what gets sent to the indexer because of the bandwidth usage. changing forwarders would not be an option as we have 800+ clients forwarding data. are there any other ways to limit what is sent?

0 Karma
Reply

jdonovan
New Member
‎07-02-2012 07:43 AM

i am using a universal forwarder, if that matters and spunk version 4.3

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...