Re: WMI filter doesn't work

alain_bettiol · ‎03-01-2013

Hello, I try to modify the behaviour of a forwarder installed on a Windows server. I would like to prevent the forwarder from sending WINDOWS events EventType=4
I have tried everything but still doesn't work, all EventTypes (1, 2,3, 4) are still forwarded

Thanks for your help

My props.conf is :
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminullEvents

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminullEvents

[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminullEvents

Transforms.conf is :
[wminullEvents]
REGEX=(?msi)^EventType=(4)
DEST_KEY=queue
FORMAT=nullQueue

alain_bettiol · ‎03-05-2013

I have found the cause, the default setup doesn't forward anything I have enabled sources in the manageR Now the events are forwarded by the heavy forwarder but the filtering doesn't work, everything is forwarded.

alain_bettiol · ‎03-04-2013

I have installed the heavy forwarder but it doesn't forward any event.
I didn't configure props.conf and transforms.conf yet.
The process splunkd is running and config file outputs.conf seems correct.
Is there a logfile I can check to understand what happens ?
Thanks

martin_mueller · ‎03-01-2013

A Universal Forwarder cannot do filtering based on the event content, you need a Heavy Forwarder for that.

alain_bettiol · ‎03-01-2013

Splunk Universal Forwarder 5.0.2 (build 149561)

martin_mueller · ‎03-01-2013

Run this:

$SPLUNK_HOME/bin/splunk version

alain_bettiol · ‎03-01-2013

No I don't think so. I'm not sure but I think it is light forwarder. How can I recognize a heavy or light forwarder?

martin_mueller · ‎03-01-2013

Is this on a heavy forwarder?

WMI filter doesn't work

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor