Getting Data In
Highlighted

WMI Event Filtering not working

New Member

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)AccountName=(admin1|admin2|admin3)
DEST
KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma
Highlighted

Re: WMI Event Filtering not working

Ultra Champion

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try

[WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.