Getting Data In

Why are all services still being indexed, even with my WinHostMon whitelist configuration specifying certain services?

Communicator

Hi,

I want to index only the services "AppHostSvc", "Iisadmin" & "AppHostSvc", but even with the below input.conf configuration, all the services are being indexed. Can some one help?

[WinHostMon://service]
type = service
interval = 900
whitelist=Name="AppHostSvc"
whitelist1=Name="Iisadmin"
whitelist2=Name="AppHostSvc"
index=winhost_prod
0 Karma
1 Solution

SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Explorer

The hacky way I got around this was to use the [powershell://] block in the inputs.conf:

[powershell://<name>]
# Get service status
script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status
# Run every 5 mins
schedule = */5 * * * *
index = <index_name>
sourcetype = <sourcetype_name>
0 Karma

Explorer

It seems that you can use [WMI:Services] to have greater control of which services you are actively monitoring via wmi.conf:

http://blogs.splunk.com/2014/05/30/monitoring-windows-service-state-history/

I can't say this is something I have personally used just yet, but I am considering doing so rather than indexing data about services I'm not worried about.

SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Communicator

Hi,
Thanks for the reply.
Is it possible to use blacklist? something like Name!="AppHostSvc"

0 Karma

SplunkTrust
SplunkTrust

I think blacklist doesn't apply, either.

---
If this reply helps you, an upvote would be appreciated.
0 Karma