- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Filtering out Platform Filtering, null/nullq, ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are attempting to filter out events that we do not wish to index.
In props.conf:
[source::WinEventLog:Security]
TRANSFORMS-nullq=DropFilteringPlatform
In transforms.conf:
[DropFilteringPlatform]
REGEX=(?msi)^TaskCategory=Filtering\\sPlatform
DEST_KEY=queue
FORMAT=nullqueue
My first question is, does that look like it would filter out the Windows Platform Filtering events?
The second question, though probably stupid is, what is the difference between null and nullq in the props.conf? I'm also curious about the queue, nullqueue, and null in transforms.conf, is there a document that explains any of that?
The last question is, I want to pull in WMI data from any terminals that come on a specific subnet. When adding in the data to search for with WMI, is there a way to make it pull from an entire subnet?
Thanks in advance for any help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) I'm not familiar with
TaskCategory=Filtering\\sPlatform
But it looks good if the string matches the actuall string. You can test it in a search string with regex.
2) nullq is a tag you create for yourself to identify the TRANSFORM, whereas nullQueue is a destination defined inside Splunk to send the data 'no where'.
3) When you specify a subnet (10.1.1.0/24) it does not throw an error, but it also does not collect data, so No. You cannot collect WMI data by subnet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) I'm not familiar with
TaskCategory=Filtering\\sPlatform
But it looks good if the string matches the actuall string. You can test it in a search string with regex.
2) nullq is a tag you create for yourself to identify the TRANSFORM, whereas nullQueue is a destination defined inside Splunk to send the data 'no where'.
3) When you specify a subnet (10.1.1.0/24) it does not throw an error, but it also does not collect data, so No. You cannot collect WMI data by subnet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You really should create new questions because it helps keep things organized for searching.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should specify the source exactly.
source::WMI:WinEventLog:Security
Use a different transform in props.conf like
TRANSFORMS-nullq5156 = dropEvent5156
The regex for that is
REGEX = (?msi)^EventCode=5156\D
WMI logs are pulled pretty much as they are generated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again for the quick responses. I figured I may just end up having to do something similar to that.
Back to the filtering portion, I am trying to get rid of Event Code 5156 coming from the remote hosts via WMI.
In Splunk itself the source is listed as "WMI:WinEventLog:Security", does it need to be listed exactly that way in props.conf or does "[Source::WinEventLog:Security" still cover it?
I don't mean to badger with questions, but how often does Splunk pull the logs via WMI?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some areas of splunk allow you to specify subnets in CIDR notation, but I tried that here and it did not work for me. This field apparently requires a comma separated list. An easy way to create a list would be to use Excel - enter the first 3 then just drag the rest, then save as a csv. Drag it on a row instead of a column to get them all on one line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick response, makes more sense now.
As for my last question, just as an example. Lets say I install Splunk at a remote location and I want it to pull data from a local subnet. Lets just say 10.0.0.1 - 10.0.0.255, that way if a host was added or removed it would pick it up automatically, hopefully.
How would I input that? At the screen to add new Event Logs via WMI/remote hosts you enter one IP to pull logs from, and then you have a field to "Collect the same set of logs from additional hosts".
I tried entering 10.0.0.* and
10.0.0.1-10.0.0.255
Neither worked
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
