I would like to filter/blacklist all event type/level "information" on Splunk 6.5.0, i am using wmi to collect logs from my servers. I am not sure if we blacklist them on \etc\system\default\inputs.conf or \etc\system\local\inputs.conf
I am not sure about the syntax I need to use since i am new to Splunk. i am not using forwarder to collect events.
hello.. basically I would like to index all errors and warning and discard the rest. At the moment I am ONLY able to index errors and everything else is discarded, I would now want to index errors and warning.
what I have that is working for errors only
Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly
Transforms.conf
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
what I have tried for windows errors and warnings but does not works
[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly
[transforms]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue
your help will be greatly appreciated...
@citosysadmin - Were you able to test out paulstout's solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!
this works excellent for indexing errors and discarding everything else
Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly
Transforms
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
else but now I would like to index errors and warning. I have tried the below but its not working as how I want.
[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly
[transforms]
[nullQueue]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue
Perhaps I am doing something wrong.
Your help will be greatly appreciated.
What you're asking do to sounds a lot like this question:
https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html
You'd want to use this REGEX in transforms.conf:
REGEX=Type=Information
That should filter for the WinEventLog:* sourcetypes