Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

WMI filter doesn't work

alain_bettiol
New Member
‎03-01-2013 02:19 AM

Hello, I try to modify the behaviour of a forwarder installed on a Windows server. I would like to prevent the forwarder from sending WINDOWS events EventType=4
I have tried everything but still doesn't work, all EventTypes (1, 2,3, 4) are still forwarded

Thanks for your help

My props.conf is :
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminullEvents

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminullEvents

[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminullEvents

Transforms.conf is :
[wminullEvents]
REGEX=(?msi)^EventType=(4)
DEST_KEY=queue
FORMAT=nullQueue

Tags (2)
0 Karma
Reply

alain_bettiol
New Member
‎03-05-2013 11:49 PM

I have found the cause, the default setup doesn't forward anything I have enabled sources in the manageR Now the events are forwarded by the heavy forwarder but the filtering doesn't work, everything is forwarded.

0 Karma
Reply

alain_bettiol
New Member
‎03-04-2013 11:38 PM

I have installed the heavy forwarder but it doesn't forward any event.
I didn't configure props.conf and transforms.conf yet.
The process splunkd is running and config file outputs.conf seems correct.
Is there a logfile I can check to understand what happens ?
Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 05:19 AM

A Universal Forwarder cannot do filtering based on the event content, you need a Heavy Forwarder for that.

0 Karma
Reply

alain_bettiol
New Member
‎03-01-2013 04:54 AM

Splunk Universal Forwarder 5.0.2 (build 149561)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 04:00 AM

Run this:

$SPLUNK_HOME/bin/splunk version
0 Karma
Reply

alain_bettiol
New Member
‎03-01-2013 03:42 AM

No I don't think so. I'm not sure but I think it is light forwarder. How can I recognize a heavy or light forwarder?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 03:30 AM

Is this on a heavy forwarder?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...