Getting Data In

WMI filter issues

New Member

Hi all,
I have searched Splunk answers and official documentation for the last three days, but for the life of me can't get the result I'm after.

What I want is to collect Logon and Logoff events (be they success or failure) and discard all the rest. I found a few questions on this subject, but none of the solutions worked in my situation.

I set up a single Splunk server to collect Security Event logs from circa 200 Windows computers, all joined to a domain, using WMI. I know that best practice tells to use Universal Forwarder, but I'm trying to avoid it for different reasons, the first being the limited resources of our clients and less administrative effort of a per-client installation.

The problem is that I can't manage to filter the inputs and index only the desired events, with the results that just a fraction of the clients easily fill the 500MB daily quota limit.

This is the configuration I came up so far, implemented in the Splunk server, not working as far as I can tell:

...\Splunk\etc\system\local\\props.conf

[WinEventLog:Security]
TRANSFORMS-wmi=wminull,wmiparsing

...\Splunk\etc\system\local\\transforms.conf

[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[wmiparsing]
REGEX = (?m)^EventCode=(538|540|672|673|861)
DEST_KEY = queue
FORMAT = indexQueue

Note: I made a couple of tries also with wmi.conf and inputs.conf, but for what I gather these configuration files are not relevant to my configuration (single server and no forwarders at all).

Any help troubleshooting this issue would be very welcome.
Happy splunking

0 Karma

SplunkTrust
SplunkTrust

Hi abruzzesi,

If you're sure that the sourcetype in props.conf matches at 100% try to use another TRANSFORMS class, like this:

[WinEventLog:Security]
TRANSFORMS-nullwmi=wminull,wmiparsing

It could be, that the TRANSFORMS class you did specify ( wmi ) is not unique. The TRANSFORMS class must be unique - extract from docs:

TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...
* <class> is a unique literal string that identifies the namespace of the field you're extracting.
  **Note:** <class> values do not have to follow field name syntax restrictions. You can use 
  characters other than a-z, A-Z, and 0-9, and spaces are allowed. <class> values are not subject
  to key cleaning. 

hope this helps ...

cheers, MuS

0 Karma

New Member

Hi MuS, thanks for your feedback.
Unfortunately, even after changing the name to "TRANSFORMS-filter", and performed a splunk stop-clean-start, I still see all Security event data being indexed.
The filter is not working!

Just a guess: could "inputs.conf" help in this case? I seem to remember that I made a try, without success obviously.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!