Re: WMI Event Filtering not working

wburns · ‎02-07-2013

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)Account_Name=(admin1|admin2|admin3)
DEST_KEY=queue
FORMAT=nullQueue

yannK · ‎02-11-2013

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try
[WinEventLog:Security] TRANSFORMS-wmi=wminull-1,wminull-2

WMI Event Filtering not working

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

WMI Event Filtering not working

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk