Getting Data In

WMI EventLog Filtering

Path Finder

Realization (Actions executed leading to the disruption):

We are currently trying to poll Windows 2008 servers with Splunk-wmi. As you know Windows 2008 generates a lot of eventlog messages and to stay within our 2GB/a day limit we want to filter out some data before sending it to the general indexer. We are currently using a demo splunk license to test it out before we are putting it into production. I have created a wmi poll using the Splunk data input wizard and I am getting the results in Splunk. My next step was to start filtering out events with an eventcode=5156 filter using a props.conf and transforms.conf file but I am not able to "filter out" the events.

Recreation (Could the disruption be recreated? If yes, please provide a exact step by step scenario):

---props.conf---

[wmi]

TRANSFORMS-null = wmi-null

---transforms.conf---

[wmi-null]

REGEX=EventCode=(5156)

DEST_KEY = queue

FORMAT = nullQueue

I know there are a lot of topics about this subject but somehow I am to stupid to get this working with the examples given by other users...

Tags (3)
1 Solution

Path Finder

Don't save your config files as .conf.txt....

View solution in original post

Splunk Employee
Splunk Employee

Beware the sourcetype is different between versions of splunk/windows app

  • old one is [wmi]
  • new is [WMI:WinEventLog:Security]

see http://splunk-base.splunk.com/answers/26192/cannot-filter-wmi-events-to-nullqueue-in-42x

0 Karma

Path Finder

Don't save your config files as .conf.txt....

View solution in original post

Splunk Employee
Splunk Employee

this is so true.

0 Karma

Path Finder

Never mind, i feel very very very stupid! For everyone who doesn't have a good configures GPO, uncheck the hide extentions for known file types and don't work with notepad!!!

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!