Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitoring specific services

fhemmeld
Explorer
‎07-25-2018 10:12 AM

Relatively newbie on Splunk and trying to monitor specific services on windows boxes that run a Universal Forwarder. I can get the services info into the Splunk Light indexer (using [WinHostMon://Service] or [WMI:Services]), but both send back the whole list of services, while I only need a few of them and since I am limited in what I can index, I prefer not to index info I do not need. I looked at white-listing, but that only works on files/folders.

Is there a way of only obtaining the info for a few services (for example the SplunkD service, or Tomcat8 service) and ignore the rest at the source, or filter on the indexer by redirecting the unwanted info into the nullqueue or similar? I have searched through the answers on answers.splunk.com but have not found anything that helped me.

Using SplunkLight 7.1.2 without TA add-ons.

Thanks you!

Reply

DalJeanis
Legend
‎07-25-2018 06:36 PM

As well as somesoni2's suggestion, you can also whitelist or blacklist particular transactions, using various methods.

The general term for that is "route to the null queue". Here's one example answer that explains hwo to do it in one situation.

https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html

In essence, you can either route only specific things to the nullqueue, or you can route everything to the nullqueue and then save the specific items you want to keep.

Of course, if your set it up so that the logs are never created, then you don't have to do that decisioning.

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2018 11:46 AM

See this (method 2)
https://www.splunk.com/blog/2014/05/30/monitoring-windows-service-state-history.html

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...