Getting Data In

Why are all services still being indexed, even with my WinHostMon whitelist configuration specifying certain services?

marellasunil
Communicator

Hi,

I want to index only the services "AppHostSvc", "Iisadmin" & "AppHostSvc", but even with the below input.conf configuration, all the services are being indexed. Can some one help?

[WinHostMon://service]
type = service
interval = 900
whitelist=Name="AppHostSvc"
whitelist1=Name="Iisadmin"
whitelist2=Name="AppHostSvc"
index=winhost_prod
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ehqtrainorm
Explorer

The hacky way I got around this was to use the [powershell://] block in the inputs.conf:

[powershell://<name>]
# Get service status
script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status
# Run every 5 mins
schedule = */5 * * * *
index = <index_name>
sourcetype = <sourcetype_name>
0 Karma

tomandrews
Explorer

It seems that you can use [WMI:Services] to have greater control of which services you are actively monitoring via wmi.conf:

http://blogs.splunk.com/2014/05/30/monitoring-windows-service-state-history/

I can't say this is something I have personally used just yet, but I am considering doing so rather than indexing data about services I'm not worried about.

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

marellasunil
Communicator

Hi,
Thanks for the reply.
Is it possible to use blacklist? something like Name!="AppHostSvc"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think blacklist doesn't apply, either.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...