Splunk Search

Limit WMI Input

jumper4000
Explorer

We pull in all the security event logs using WMI. However, it's pulling in WAY too much data. Is there a way to limit what gets pulled into Splunk? For example, to only pull in certain Event IDs?

Tags (3)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...