Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WMI filtering only eventlog from some users

pmelchiori
Explorer
‎03-05-2012 08:22 AM

I'm looking for a way to filter all the log eventlog from certain user's group (SYSTEM and Administrator), but all my test going bad 😞

(splunk 4.1.6)

prof.conf:

[wmi]
TRANSFORMS-wminull = wmi-null, wmi-parsing

transforms.conf

[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue  

[wmi-parsing]
REGEX = (?m)^User=(SYSTEM|Administrator)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

sdwilkerson
Contributor
‎03-06-2012 07:09 AM

pmelchiori,

It looks like you have the syntax mostly right, but you need to check a few things.

Is the sourcetype that you want to drop just "wmi" or is it "wmi:WinEventLog:Security" etc? Make sure this is explicit.

Additionally, your transform will apply to a SOURCE_KEY = _raw unless otherwise stated. Your _raw will probably be equal to the entire event. That would mean that the string "user=XXX" is NOT at the beginning of the event, and therefore you don't want the carat "^" in your regex.

Finally, you have two transforms, that do two different things. The top one has a REGEX = (.).
In Regex, a dot "." means match any single character. So, this will match anything and mark it all to the nullQueue. I am not sure your intention here, but you may want to adjust this or maybe even omit the first transform in lieu of the second.

Check the sourcetype, check your transforms, fix that in props.conf and then remove your carat and see how that goes.

Best,

Sean

Reply

sdwilkerson
Contributor
‎03-06-2012 05:38 PM

See my updated answer above.

0 Karma
Reply

pmelchiori
Explorer
‎03-06-2012 09:27 AM

Okay, I've made all the changes but it still archiving any log!

Switching the props.conf in wmi:WinEventLog:Security it stops working totally.

0 Karma
Reply

MarioM
Motivator
‎03-05-2012 12:52 PM

did you try the followings:

REGEX = (.)

AND/OR

REGEX = (?msi)^User=(SYSTEM|Administrator)
0 Karma
Reply

pmelchiori
Explorer
‎03-06-2012 06:28 AM

Yes, it does't filter anything, I can see all the logs in Splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...