- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What is the best way to filter WMI Event Logs by t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best way to filter WMI Event Logs by type without just whitelisting or blacklisting?
Current Splunk Enterprise Server Version: 6.2.1
Current Splunk Test Server Version: 6.5.0
Question: What is the proper way to filter windows log events that only deal with being type/level: Warning, Error, or Failure Audit for Application, Security, and System (I guess Failure Audit for security only), without simply filtering by eventcodes with white/blacklisting?
inputs.conf
[default]
host = SplunkMachine
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
blacklist1 = Type="^2Failure Audit"
blacklist2 = Type="^3Success Audit"
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = Type="^Error"
whitelist1 = Type="^2Warning"
blacklist = Type="^Information"
transforms.conf
[wminull]
REGEX=(?m)^Level=(1|2|5)
DEST_KEY=queue
FORMAT=nullQueue
props.conf
########## FILE MATCH CONDITIONS ##########
[source::...\\var\\log\\anaconda.syslog(.\d+)?]
sourcetype = anaconda_syslog
[source::...\\var\\log\\anaconda.log(.\d+)?]
sourcetype = anaconda
[source::...\\var\\log\\httpd\\error_log(.\d+)?]
sourcetype = apache_error
[source::...\\var\\log\\cups\\access_log(.\d+)?]
.
.
.
[WinEventLog:Application]
TRANSFORMS-wmi=wminull
[WinEventLog:Security]
TRANSFORMS-wmi=wminull
[WinEventLog:System]
TRANSFORMS-wmi=wminull
####### NON-LOG FILES
So I've tried a few combinations of just modifying the transforms.conf and inputs.conf and just props.conf. So far, my attempts have limited the amount of events that are indexed in Splunk, however according to documentation I should only modify the props and transform.conf. I suspect I'm missing some Regex remarks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The whitelist/blacklist syntax is slightly different:
whitelist1 = Type=%^Error$%
whitelist2 = Type=%^Warning$%
...
Then you won't need any props/transforms nullqueue filtering at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your syntax is off again:
whitelist = Type=%^[1-2]$%
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the change, still indexing events that are the Information type.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before you do, decide on a blacklist or a whitelist, not both.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
Still includes things other than what is whitelisted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The whitelist is enough, no need for a blacklist to state the same thing again.
Did you restart splunk and are only looking at data coming in after the restart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have restarted Splunk. It did index, but it still contained Information events. I am actually disabling the data input. Deleting the index. Modifying the config. Restart Splunk. Create the new Index and enable the data input with the appropriate index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type=%^Error$%
whitelist1 = Type=%^Warning$%
blacklist = Type=%^Information$%
This is what it I have changed it to following your answer. However, Application still seems to show information logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[WinEventLog://Application]
disabled = 0
start_from = newest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = Type="^[1-2]$"
blacklist = Type="^[3]$"
Found out that Type is actually a numerical value. So I changed it to this. Now zero events are being index, so I must have something working, just syntax is wrong
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
