Getting Data In

WMI Event Filtering not working

New Member

I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue

[wminull-2]
REGEX=(?mi)Account_Name=(admin1|admin2|admin3)
DEST_KEY=queue
FORMAT=nullQueue

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

your example seems to be from splunk 4.1.*, the sourcetype changed since.

try

[WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!