Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter out WMI Windows events with blacklist in Splunk 6.1.3?

feliz
New Member
‎09-18-2014 01:06 AM

Hello there!

We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:

props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf

[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue

We also tried from:

http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html

http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html

http://answers.splunk.com/answers/141136/how-to-filter-wmi-event-logs-using-blacklist-props-or-trans...

Any help would be much appreciated!

Tags (2)
0 Karma
Reply

rdjoraev_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

0 Karma
Reply

mfhuang_splunk
Splunk Employee
Splunk Employee
‎09-18-2014 04:12 PM

You should use [WMI:WinEventLog:Security] in props.conf

Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf

0 Karma
Reply

feliz
New Member
‎09-19-2014 12:08 AM

Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.

We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...