Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter out WMI Windows events with blacklist in Splunk 6.1.3?

feliz
New Member
‎09-18-2014 01:06 AM

Hello there!

We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:

props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf

[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue

We also tried from:

http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html

http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html

http://answers.splunk.com/answers/141136/how-to-filter-wmi-event-logs-using-blacklist-props-or-trans...

Any help would be much appreciated!

Tags (2)
0 Karma
Reply

rdjoraev_splunk
Splunk Employee
Splunk Employee
‎06-30-2015 02:37 PM

As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

0 Karma
Reply

mfhuang_splunk
Splunk Employee
Splunk Employee
‎09-18-2014 04:12 PM

You should use [WMI:WinEventLog:Security] in props.conf

Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf

0 Karma
Reply

feliz
New Member
‎09-19-2014 12:08 AM

Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.

We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...