Getting Data In

How to filter out WMI Windows events with blacklist in Splunk 6.1.3?

New Member

Hello there!

We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:

props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf

[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue

We also tried from:

http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html

http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html

http://answers.splunk.com/answers/141136/how-to-filter-wmi-event-logs-using-blacklist-props-or-trans...

Any help would be much appreciated!

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

0 Karma

Splunk Employee
Splunk Employee

You should use [WMI:WinEventLog:Security] in props.conf

Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf

0 Karma

New Member

Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.

We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...

0 Karma