Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do you filter windows logs by level?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to get only critical and error logs from Windows?
I mean, Windows generates logs using different levels (Critical, Warning, Error, Information...) and I don't want the Information logs on Splunk, so I would like to configure the forwarder to not send them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @crsupportddc,
So I assume the Windows events (which are multiline) contain this line which you want to base your filter on:
Type=Information
Check out this page on how to filter specific events: Discard specific events and keep the rest.
On your heavy forwarder/indexer (whatever system comes after the Universal Forwarder), add the following lines to props.conf:
[WinEventLog:Application]
TRANSFORMS-filter = filter_information
[WinEventLog:Security]
TRANSFORMS-filter = filter_information
[WinEventLog:System]
TRANSFORMS-filter = filter_information
WinEventLog:Application, WinEventLog:Security and WinEventLog:System refer to the sourcetypes.
And add the following lines to transforms.conf:
[filter_information]
REGEX = Type=Information
DEST_KEY = queue
FORMAT = nullQueue
Do not forget to restart Splunk after making these changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @crsupportddc,
So I assume the Windows events (which are multiline) contain this line which you want to base your filter on:
Type=Information
Check out this page on how to filter specific events: Discard specific events and keep the rest.
On your heavy forwarder/indexer (whatever system comes after the Universal Forwarder), add the following lines to props.conf:
[WinEventLog:Application]
TRANSFORMS-filter = filter_information
[WinEventLog:Security]
TRANSFORMS-filter = filter_information
[WinEventLog:System]
TRANSFORMS-filter = filter_information
WinEventLog:Application, WinEventLog:Security and WinEventLog:System refer to the sourcetypes.
And add the following lines to transforms.conf:
[filter_information]
REGEX = Type=Information
DEST_KEY = queue
FORMAT = nullQueue
Do not forget to restart Splunk after making these changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the help.
I managed to create a blacklist and avoid some specific logs but I'll implement what you mentioned to completely ignore the Information logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering by blacklisting specific EventCodes works as well. Good thinking.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
