Getting Data In
Highlighted

How to filter or blacklist all event type/level "information" on Splunk 6.5.0?

New Member

I would like to filter/blacklist all event type/level "information" on Splunk 6.5.0, i am using wmi to collect logs from my servers. I am not sure if we blacklist them on \etc\system\default\inputs.conf or \etc\system\local\inputs.conf

I am not sure about the syntax I need to use since i am new to Splunk. i am not using forwarder to collect events.

0 Karma
Highlighted

Re: How to filter or blacklist all event type/level "information" on Splunk 6.5.0?

Path Finder

What you're asking do to sounds a lot like this question:

https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html

You'd want to use this REGEX in transforms.conf:

REGEX=Type=Information

That should filter for the WinEventLog:* sourcetypes

Highlighted

Re: How to filter or blacklist all event type/level "information" on Splunk 6.5.0?

Influencer

@citosysadmin - Were you able to test out paulstout's solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

0 Karma
Highlighted

Re: How to filter or blacklist all event type/level "information" on Splunk 6.5.0?

New Member

this works excellent for indexing errors and discarding everything else

Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly

Transforms
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue

else but now I would like to index errors and warning. I have tried the below but its not working as how I want.

[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly

[transforms]
[nullQueue]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue

[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue

[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue

Perhaps I am doing something wrong.

Your help will be greatly appreciated.

0 Karma
Highlighted

Re: How to filter or blacklist all event type/level "information" on Splunk 6.5.0?

New Member

hello.. basically I would like to index all errors and warning and discard the rest. At the moment I am ONLY able to index errors and everything else is discarded, I would now want to index errors and warning.

what I have that is working for errors only

Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly

Transforms.conf
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue

what I have tried for windows errors and warnings but does not works

[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly

[transforms]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue

[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue

your help will be greatly appreciated...

0 Karma