Getting Data In

WMI input and whitelisting

Ultra Champion

Hello there.

I finally managed to set up WMI-based event log monitoring and it seems to work 🙂

The problem is that it's gonna give me way to many events. I want to pull just a subset of the events from the Applicatonlog. With ordinary WinEventLog input I could set up a whitelist/blacklist to limit the processed events at the forwarder level. The same doesn't seem to work with the WMI:whatever type of input.

Is there indeed no way to limit the ingested events? Do I have to do it further down the stream by selective routing on HF?

Labels (3)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...