Hi,
I am running 6.5.2 and using WMI to get Windows Event log data into Splunk. Currently I’m pulling in Application and System logs and trying to filter what I pull in/index. I’d like to not have informational logs pulled in. I’ve tried a number of different ways to do this but nothing seems to be working. All files I am modifying are in C:\Program Files\Splunk\etc\system\local. To test I am making changes to the files and then ‘searching’ for “| extract reload=t”. My search time is 1 minute but I don’t think that should matter for the purpose of reloading the files.
Inputs.conf
[WinEventLog:System] (I’ve also tried [WinEventLog://System] )
blacklist = Information
blacklist1 = 7036 (EventCode which I am trying to test on)
However, I’m not even sure inputs.conf can filter on event log info pulled in via WMI. From the inputs.conf docs under Windows Event Log Monitor section “Note: The WinEventLog stanza is for local systems only. To define event log monitor inputs for remote machines, use wmi.conf.” Can anyone confirm or deny this? wmi.conf doesn't seem to have any ability to filter like this. So I tried transforms and props.
transforms.conf
[setnulla]
REGEX=(?msi)^EventCode=(7036)
DEST_KEY=queue
FORMAT=nullQueue
I’ve also trued REGEX=Type=Information
props.conf
[WMI:wmiTest]
TRANSFORMS-set = setnulla
I’ve also tried [WMI:WinEventLog:System], [WMI:WinEventLog:*], [WinEventLog:System], and [WinEventLog:*]
. However, nothing I change makes any difference. Any help would be greatly appreciated. I’ve looked at a number of posts, including:
https://answers.splunk.com/answers/91173/multiple-wmi-sources-in-props-conf.html
https://answers.splunk.com/answers/498277/how-to-filter-or-blacklist-all-event-typelevel-inf.html
Thanks
As per http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/inputsconf#Event_Log_whitelist_and_blacklist... (scroll up a tiny bit) you cannot mix the "list of event codes" format with the regular expression format.
Your blacklist should look something like this:
blacklist1 = EventCode=%^7036$%
blacklist2 = Type=%^Information$%
After making that change in inputs.conf and restarting Splunk you should see it affect data coming in from that point on, old data remains indexed as it was.
Bottom line, last two chars are swapped... in my answer too 😄 oops...
I'm starting to wonder if this is possible while gathering event logs via WMI. The inputs.conf docs say "Note: The WinEventLog stanza is for local systems only. To define event log
monitor inputs for remote machines, use wmi.conf." Unfortunately wmi.conf does not offer the filtering that is available in inputs.conf
Thanks for your response. No luck. Since it seems you are suggesting this can be done with inputs.conf (which would be ideal) I made the changes you suggested, have commented out everything in props.conf and transforms.conf (just to sanity check # is a comment, right?), and restarted the splunk service (.\splunk.exe restart). My inputs.conf is:
[default]
host = splunk00
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog:System]
blacklist1 = EventCode=%^7036$%
blacklist2 = Type=%^Information%$