Getting Data In

Why are all services still being indexed, even with my WinHostMon whitelist configuration specifying certain services?

marellasunil
Communicator

Hi,

I want to index only the services "AppHostSvc", "Iisadmin" & "AppHostSvc", but even with the below input.conf configuration, all the services are being indexed. Can some one help?

[WinHostMon://service]
type = service
interval = 900
whitelist=Name="AppHostSvc"
whitelist1=Name="Iisadmin"
whitelist2=Name="AppHostSvc"
index=winhost_prod
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ehqtrainorm
Explorer

The hacky way I got around this was to use the [powershell://] block in the inputs.conf:

[powershell://<name>]
# Get service status
script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status
# Run every 5 mins
schedule = */5 * * * *
index = <index_name>
sourcetype = <sourcetype_name>
0 Karma

tomandrews
Explorer

It seems that you can use [WMI:Services] to have greater control of which services you are actively monitoring via wmi.conf:

http://blogs.splunk.com/2014/05/30/monitoring-windows-service-state-history/

I can't say this is something I have personally used just yet, but I am considering doing so rather than indexing data about services I'm not worried about.

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

marellasunil
Communicator

Hi,
Thanks for the reply.
Is it possible to use blacklist? something like Name!="AppHostSvc"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think blacklist doesn't apply, either.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...