Getting Data In

How do I exclude some windows events from being indexed??

Path Finder

Hi all!.
I'm new with Splunk. I´m trying to exclude some events from being indexed but I really don´t know where to start. Where do i need to exclude these events IDs? For example, events 576, 576, 538, 540, etc.

Many thanks in advance

Tags (2)

Splunk Employee
Splunk Employee

Beware :

Path Finder

How does this apply to WMI data being collected by the universal forwarder? Do I have to create these config files locally on each system with the forwarder? I modified my configs on the Indexer and it had no effect.

0 Karma

Path Finder

I have the trial version actually. I Modified the files from
c:\program files\Splunk\etc\system\default. This is what you asked for?

0 Karma

Path Finder

That works excellent!! Many thanks

0 Karma

Splunk Employee
Splunk Employee

It is probably better to add comments vs adding in your comments as new answers. That being said, changes should be made into $SPLUNK_HOME/etc/system/local. Still, not sure what version your running..'trial' is just the latest, AFAIK, so I presume its either 4.2 or 4.2.1.

FYI: http://www.splunk.com/base/Documentation/latest/admin/Aboutconfigurationfiles

'When you edit a configuration file, you should not edit the version in $SPLUNK_HOME/etc/system/default.'

Splunk Employee
Splunk Employee

Hello,

You should review the following link, there is an example of this which can be found here:

http://www.splunk.com/base/Documentation/latest/Deploy/Routeandfilterdatad

Filter WMI events

To filter on WMI events, you must use the [wmi] source type stanza in props.conf. The following example uses regex to filter out two Windows event codes, 592 and 593:

In props.conf:

[wmi]
TRANSFORMS-wmi=wminull

In transforms.conf:

[wminull]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue

Splunk Employee
Splunk Employee

Where are you trying to do this? On an Indexer? How is this data making it into Splunk? These settings should be implemented where the data is actually parsed. So, maybe that is the story? Also, what version of splunk is this? This was broken in 4.2, fixed in 4.2.1

Path Finder

Maybe I'm doing something wrong. It Doesn't appear to be working. I modified both files adding the text you posted but events are still being indexed.
Should I modified something else? Is there any other component that must be enabled to do this?
Regards

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!