Solved: WMI EventLog Filtering

CerielTjuh · ‎02-24-2011

Realization (Actions executed leading to the disruption):

We are currently trying to poll Windows 2008 servers with Splunk-wmi. As you know Windows 2008 generates a lot of eventlog messages and to stay within our 2GB/a day limit we want to filter out some data before sending it to the general indexer. We are currently using a demo splunk license to test it out before we are putting it into production. I have created a wmi poll using the Splunk data input wizard and I am getting the results in Splunk. My next step was to start filtering out events with an eventcode=5156 filter using a props.conf and transforms.conf file but I am not able to "filter out" the events.

Recreation (Could the disruption be recreated? If yes, please provide a exact step by step scenario):

---props.conf---

[wmi]

TRANSFORMS-null = wmi-null

---transforms.conf---

[wmi-null]

REGEX=EventCode=(5156)

DEST_KEY = queue

FORMAT = nullQueue

I know there are a lot of topics about this subject but somehow I am to stupid to get this working with the examples given by other users...

CerielTjuh · ‎02-24-2011

Don't save your config files as .conf.txt....

View solution in original post

yannK · ‎06-29-2011

Beware the sourcetype is different between versions of splunk/windows app

old one is [wmi]
new is [WMI:WinEventLog:Security]

see http://splunk-base.splunk.com/answers/26192/cannot-filter-wmi-events-to-nullqueue-in-42x

CerielTjuh · ‎02-24-2011

Don't save your config files as .conf.txt....

yannK · ‎04-02-2011

this is so true.

CerielTjuh · ‎02-24-2011

Never mind, i feel very very very stupid! For everyone who doesn't have a good configures GPO, uncheck the hide extentions for known file types and don't work with notepad!!!

WMI EventLog Filtering

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms