Getting Data In
Highlighted

WMI Event Filtering not working

New Member

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)AccountName=(admin1|admin2|admin3)
DEST
KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma

Re: WMI Event Filtering not working

Splunk Employee
Splunk Employee

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try

[WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2