First, thanks for taking the time to look at this. Hopefully I'll be able to provide all the information you need to help me out.
I have several extremely chatty windows servers (AD 2008) with a universal forwarder installed (4.3.1 build 119532). They're forwarding windows events to my Splunk Server(same version and build) over tcp 9514. So the Splunk Server is configured to receive on tcp_9514.
The problem is I'm still indexing events mentioned in the regex. This configuration worked in our test environment. I'm not sure where to start troubleshooting this. I think it's all configured correctly.
metrics.log (one host)
INFO Metrics - group=tcpinconnections, 10.1.57.202:49328:9514, connectionType=cooked, sourcePort=49328, sourceHost=10.1.57.202, sourceIp=10.1.57.202, destPort=9514, _tcpBps=51043.12, tcpKBps=49.85, tcpavgthruput=364.65, kb=1463.47, _tcpKprocessed=35517.31, tcpeps=36.85, build=119532, version=4.3.1, os=Windows, arch=x64, hostname=dccoslo2, guid=526275C8-DEC9-4F06-BD7B-30EFB3158043, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false
Unfortunately, there is no answer to the issue I experienced.
Removed my splunk install completely and re-installed the latest version as a fresh install. I only kept my transforms and props.conf files. Everything else is brand new.
And the filter is working. I suspect Ayn was on the right track. Something in my configuration was not right. Thanks for the help!
Just one thought - did you make sure that your transform identifier (the "wmi" part in "TRANSFORMS-wmi") isn't duplicated anywhere? These identifiers need to be unique, so if they're not that will cause undefined behaviour.
I searched again, this time at /etc/* but still no joy. I really thought that might have been it this time! 🙂 So we all agree the syntax, etc. is good. And this did work in our test environment. But the test environment was brand new. I think I'll just backup my .conf files and install fresh. I'll update.