Splunk Search

Filtering WinHostMon with transforms/props so it doesn't index the status of a particular service.

jospina2
Explorer

Hello,

I am trying to use transforms/props to filter a service from being indexed

This is what I have:

/etc/system/local/transforms.conf :

[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

/etc/system/local/props.conf

[WinHostMon:Service]
TRANSFORMS-block_service = testing_service_filter

I have also tried:

[WinHostMon://Service]
TRANSFORMS-block_service = testing_service_filter
[source::service]
sourcetype = WinHostMon
TRANSFORMS-block_service = testing_service_filter
[source:service]
TRANSFORMS-block_service = testing_service_filter

and

[WinHostMon]
TRANSFORMS-block_service = testing_service_filter

What am I doing wrong? I have no problem filtering other sources (e.g. I have dozens of filters applied to WinEventLog, and never had an issue setting them up), but every transform I try to apply on WinHostMon doesn't seem to work. What am I missing?

Thanks

daviesg
Engager

I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:

  1. Adding a stanza to props.conf in /etc/system/local

[WinHostMon]
TRANSFORMS-filter = filter_manual_service

  1. Add a stanza to the transforms.conf in /etc/system/local

[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue

It would be great to find out if there is a better way to do this.

Cheers

Graham

0 Karma

Kawtar
Path Finder

Hello jospina2,

Did you try an other : testing_service_filter2

transforms.conf
[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

[testing_service_filter2]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

And then in props.conf:

TRANSFORMS-block_service2 = testing_service_filter2,

Can you try this ?

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...