We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:
[wminull] REGEX=(?m)^EventCode=(5154|5157) DEST_KEY=queue FORMAT=nullQueue
We also tried from:
Any help would be much appreciated!
As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].
You should use [WMI:WinEventLog:Security] in props.conf
Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.
We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...