Getting Data In

Why are all services still being indexed, even with my WinHostMon whitelist configuration specifying certain services?

marellasunil
Communicator

Hi,

I want to index only the services "AppHostSvc", "Iisadmin" & "AppHostSvc", but even with the below input.conf configuration, all the services are being indexed. Can some one help?

[WinHostMon://service]
type = service
interval = 900
whitelist=Name="AppHostSvc"
whitelist1=Name="Iisadmin"
whitelist2=Name="AppHostSvc"
index=winhost_prod
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ehqtrainorm
Explorer

The hacky way I got around this was to use the [powershell://] block in the inputs.conf:

[powershell://<name>]
# Get service status
script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status
# Run every 5 mins
schedule = */5 * * * *
index = <index_name>
sourcetype = <sourcetype_name>
0 Karma

tomandrews
Explorer

It seems that you can use [WMI:Services] to have greater control of which services you are actively monitoring via wmi.conf:

http://blogs.splunk.com/2014/05/30/monitoring-windows-service-state-history/

I can't say this is something I have personally used just yet, but I am considering doing so rather than indexing data about services I'm not worried about.

richgalloway
SplunkTrust
SplunkTrust

If I read the docs correctly, the whitelist attribute does not apply to WinHostMon.

---
If this reply helps you, Karma would be appreciated.

marellasunil
Communicator

Hi,
Thanks for the reply.
Is it possible to use blacklist? something like Name!="AppHostSvc"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think blacklist doesn't apply, either.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...