Getting Data In

How to filter out WMI Windows events with blacklist in Splunk 6.1.3?

feliz
New Member

Hello there!

We collect WMI Windows event with Splunk 6.1.3 and we want to filter some of these events. We tried with props.conf and transforms.conf, unsuccessfully. Here are the files, found in official doc:

props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull

transforms.conf

[wminull]
REGEX=(?m)^EventCode=(5154|5157)
DEST_KEY=queue
FORMAT=nullQueue

We also tried from:

http://answers.splunk.com/answers/169030/wmi-blacklist-splunk-6.html

http://answers.splunk.com/answers/12375/wineventlog-filtering-eventcode.html

http://answers.splunk.com/answers/141136/how-to-filter-wmi-event-logs-using-blacklist-props-or-trans...

Any help would be much appreciated!

Tags (2)
0 Karma

rdjoraev_splunk
Splunk Employee
Splunk Employee

As per Splunk documentation, release 6.x, stanza should be [WinEventLog:Security] in the inputs.conf file.
It doesn't not mention about [WMI:WinEventLog:Security].

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

0 Karma

mfhuang_splunk
Splunk Employee
Splunk Employee

You should use [WMI:WinEventLog:Security] in props.conf

Also, if you are collecting events on local machine, consider using WinEventLog instead of WMI. You can specify black/whitelist in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Inputsconf

0 Karma

feliz
New Member

Hey thanks for your answer! Even when using [WMI:WinEventLog:Security] instead of [WinEventLog:Security] it didn't work.

We've already been using black and whitelist for WinEventLog and it's perfectly working. Can't figure out why it's not for WMI...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...