Splunk Search

Limit WMI Input

jumper4000
Explorer

We pull in all the security event logs using WMI. However, it's pulling in WAY too much data. Is there a way to limit what gets pulled into Splunk? For example, to only pull in certain Event IDs?

Tags (3)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_...

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...