I know this question has been asked many times over, but I can't see how my .conf files are different than the working examples. I seem to be getting all EventCodes in my index.
Could someone please do a double-check here?
# apps/search/local/wmi.conf
#
[default]
[WMI:DC Event Logs]
disabled = 0
event_log_file = Security
interval = 5
server = a-dc-01
# system/local/props.conf (also tried putting this under search)
#
[source::WMI:WinEventLog:Security]
TRANSFORMS-WMISecurityLog = setWMISecurityLogRetain,setWMISecurityLogNull
# system/local/transforms.conf (also tried putting this under search)
#
[setWMISecurityLogNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setWMISecurityLogRetain]
REGEX = (?m)^EventCode=(4662|5136|5137|5138|5139|5141)\D
DEST_KEY = queue
FORMAT = indexQueue
I'm trying to limit the log entries to the IDs above but I'm getting many more EventCodes than I want.
EventCode count(EventCode)
--------- ----------------
4662 44
4735 38
4768 84
4769 2413
4770 79
4771 13
4776 162
5159 1870
Thanks in advance, Hugh
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
example:
[WinEventLog:Security]
disabled = 0
blacklist=566,800-850
see example :
Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes
If you want to keep only the events listed in setWMISecurityLogRetain and drop the rest, please invert the order of your transforms.
TRANSFORMS-WMISecurityLog = setWMISecurityLogNull,setWMISecurityLogRetain
please try then both, or use them both if you have a mix of forwarder's versions to cover them all.
I'm still exploring this theory, but it seems like
[source::WMI:WinEventLog:Security]
[WMI:WinEventLog:Security]
Does that sound right?