Getting Data In

WMI Event Filtering not working

New Member

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)AccountName=(admin1|admin2|admin3)
DEST
KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma
Highlighted

Re: WMI Event Filtering not working

Splunk Employee
Splunk Employee

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try

[WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2