Hi all!.
I'm new with Splunk. I´m trying to exclude some events from being indexed but I really don´t know where to start. Where do i need to exclude these events IDs? For example, events 576, 576, 538, 540, etc.
How does this apply to WMI data being collected by the universal forwarder? Do I have to create these config files locally on each system with the forwarder? I modified my configs on the Indexer and it had no effect.
It is probably better to add comments vs adding in your comments as new answers. That being said, changes should be made into $SPLUNK_HOME/etc/system/local. Still, not sure what version your running..'trial' is just the latest, AFAIK, so I presume its either 4.2 or 4.2.1.
To filter on WMI events, you must use the [wmi] source type stanza in props.conf. The following example uses regex to filter out two Windows event codes, 592 and 593:
In props.conf:
[wmi]
TRANSFORMS-wmi=wminull
In transforms.conf:
[wminull]
REGEX=(?m)^EventCode=(592|593)
DEST_KEY=queue
FORMAT=nullQueue
Where are you trying to do this? On an Indexer? How is this data making it into Splunk? These settings should be implemented where the data is actually parsed. So, maybe that is the story? Also, what version of splunk is this? This was broken in 4.2, fixed in 4.2.1
Maybe I'm doing something wrong. It Doesn't appear to be working. I modified both files adding the text you posted but events are still being indexed.
Should I modified something else? Is there any other component that must be enabled to do this?
Regards
