Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring specific services

fhemmeld
Explorer
‎07-25-2018 10:12 AM

Relatively newbie on Splunk and trying to monitor specific services on windows boxes that run a Universal Forwarder. I can get the services info into the Splunk Light indexer (using [WinHostMon://Service] or [WMI:Services]), but both send back the whole list of services, while I only need a few of them and since I am limited in what I can index, I prefer not to index info I do not need. I looked at white-listing, but that only works on files/folders.

Is there a way of only obtaining the info for a few services (for example the SplunkD service, or Tomcat8 service) and ignore the rest at the source, or filter on the indexer by redirecting the unwanted info into the nullqueue or similar? I have searched through the answers on answers.splunk.com but have not found anything that helped me.

Using SplunkLight 7.1.2 without TA add-ons.

Thanks you!

Reply

DalJeanis
Legend
‎07-25-2018 06:36 PM

As well as somesoni2's suggestion, you can also whitelist or blacklist particular transactions, using various methods.

The general term for that is "route to the null queue". Here's one example answer that explains hwo to do it in one situation.

https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html

In essence, you can either route only specific things to the nullqueue, or you can route everything to the nullqueue and then save the specific items you want to keep.

Of course, if your set it up so that the logs are never created, then you don't have to do that decisioning.

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2018 11:46 AM

See this (method 2)
https://www.splunk.com/blog/2014/05/30/monitoring-windows-service-state-history.html

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...