Realization (Actions executed leading to the disruption):
We are currently trying to poll Windows 2008 servers with Splunk-wmi. As you know Windows 2008 generates a lot of eventlog messages and to stay within our 2GB/a day limit we want to filter out some data before sending it to the general indexer. We are currently using a demo splunk license to test it out before we are putting it into production. I have created a wmi poll using the Splunk data input wizard and I am getting the results in Splunk. My next step was to start filtering out events with an eventcode=5156 filter using a props.conf and transforms.conf file but I am not able to "filter out" the events.
Recreation (Could the disruption be recreated? If yes, please provide a exact step by step scenario):
---props.conf---
[wmi]
TRANSFORMS-null = wmi-null
---transforms.conf---
[wmi-null]
REGEX=EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue
I know there are a lot of topics about this subject but somehow I am to stupid to get this working with the examples given by other users...
Beware the sourcetype is different between versions of splunk/windows app
see http://splunk-base.splunk.com/answers/26192/cannot-filter-wmi-events-to-nullqueue-in-42x
Don't save your config files as .conf.txt....
this is so true.
Never mind, i feel very very very stupid! For everyone who doesn't have a good configures GPO, uncheck the hide extentions for known file types and don't work with notepad!!!