Hello there!
We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:
props.conf
[WinEventLog:Security]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue
We also tried from:
http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html
http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html
Any help would be much appreciated!
As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata
You should use [WMI:WinEventLog:Security] in props.conf
Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf
Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.
We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...