Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are all services still being indexed, even with my WinHostMon whitelist configuration specifying certain services?

marellasunil
Communicator
‎09-09-2015 10:28 AM

Hi,

I want to index only the services "AppHostSvc", "Iisadmin" & "AppHostSvc", but even with the below input.conf configuration, all the services are being indexed. Can some one help?

[WinHostMon://service]
type = service
interval = 900
whitelist=Name="AppHostSvc"
whitelist1=Name="Iisadmin"
whitelist2=Name="AppHostSvc"
index=winhost_prod
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2015 11:07 AM

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ehqtrainorm
Explorer
‎09-04-2019 03:02 PM

The hacky way I got around this was to use the [powershell://] block in the inputs.conf:

[powershell://<name>]
# Get service status
script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status
# Run every 5 mins
schedule = */5 * * * *
index = <index_name>
sourcetype = <sourcetype_name>
0 Karma
Reply
Solved! Jump to solution

tomandrews
Explorer
‎11-13-2015 06:23 AM

It seems that you can use [WMI:Services] to have greater control of which services you are actively monitoring via wmi.conf:

http://blogs.splunk.com/2014/05/30/monitoring-windows-service-state-history/

I can't say this is something I have personally used just yet, but I am considering doing so rather than indexing data about services I'm not worried about.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2015 11:07 AM

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marellasunil
Communicator
‎09-09-2015 11:27 AM

Hi,
Thanks for the reply.
Is it possible to use blacklist? something like Name!="AppHostSvc"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2015 11:48 AM

I think blacklist doesn't apply, either.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...