Splunk Search

Limit WMI Input

jumper4000
Explorer

We pull in all the security event logs using WMI. However, it's pulling in WAY too much data. Is there a way to limit what gets pulled into Splunk? For example, to only pull in certain Event IDs?

Tags (3)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.