Solved: How to filter WMI event logs using blacklist, prop...

dbabanov · ‎06-19-2014

Hello, everybody!

I have some question.
We collect WMI event log security. So sourcetype in splunk is "wmi:eventlog:security".
How I can filter events by EventCode=5145.

How I can use "blacklist" in inputs.conf? Or I must use props.conf and transform.conf? What stanza should I create them?

P.S. I have splunk 6.1.1.

Tanks.

rdjoraev_splunk · ‎06-30-2015

In Splunk 6.2.3 release stanza should be [WinEventLog:Security] instead of [WMI:WinEventLog:Security]

For more for more details about the stanza settings in inputs.conf, please refer to Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

View solution in original post

rdjoraev_splunk · ‎06-30-2015

In Splunk 6.2.3 release stanza should be [WinEventLog:Security] instead of [WMI:WinEventLog:Security]

For more for more details about the stanza settings in inputs.conf, please refer to Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/MonitorWindowsdata

Oakley · ‎06-20-2014

Put this under the secuity log WMI stanza in inputs.conf:

blacklist = 5145

Should do the trick.

dbabanov · ‎06-23-2014

I do this, but i have error, that unknown parametr in stanza WMI.
Any idea, how i should filter events using props and transforms conf-files?

How to filter WMI event logs using blacklist, props or transforms in Splunk 6.* ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!