WMI Event Filtering not working

wburns · ‎02-07-2013

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)Account_Name=(admin1|admin2|admin3)
DEST_KEY=queue
FORMAT=nullQueue

yannK · ‎02-11-2013

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try
[WinEventLog:Security] TRANSFORMS-wmi=wminull-1,wminull-2

WMI Event Filtering not working

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

WMI Event Filtering not working

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard