Want to route my WMI data to nullqueue , but only ...

krithikar · ‎04-20-2023

Hi All,

I am trying to route my WMI data to a null queue but want to route data coming through from a specific group of hosts only.

Example : The Windows WmI data is coming through from different group of hosts listed below

Hostgroup1 = ABCDEF

hostgroup2 = XXXXXX

hostgroup3 = sssssssss

The WMI events (example eventcodes , type, log source etc) are mostly common for all the hosts and hence if i use either of these common fields all of my data will be sent to null queue. I would want to only send Hostgroup1 which starts with ABCDEF , there are around 500+ hosts in the host group starting with ABCDEF .

Could anyone suggest a way to only route data from the hostgroup1 to Null queue .

04/20/2023 07:01:10 PM
LogName=Hello
SourceName=Microsoft Windows logs.
EventCode=1234
EventType=x
Type=Information
ComputerName=abcdefghijl2106.domain.abc.com
TaskCategory=dynamic
OpCode=Info
RecordNumber=12345678
Keywords=Audit Success

I am trying to write my transforms regex based on the computer name so it can only group the hostgroup1 starting with abcdef hosts and route that data to null queue

woodcock · ‎04-21-2023

I would not recycle "setnull" so try this:

[WinEventLog]
TRANSFORMS-null_queue = setnullWinEventLogSomeHosts

[setnullWinEventLogSomeHosts]
REGEX = (?ms)(ComputerName=ABCD[^\.]*.domain.com)
DEST_KEY=queue
FORMAT=nullQueue

krithikar · ‎04-20-2023

Thanks for reverting back,

[host::your_host]
TRANSFORMS-null= setnull

In the above, i can only add a specific host correct ?. i would want to route all the data from the hosts starting with abcdefg .

Would I be able to do the below, so it would be able to pick all the hosts stating with abcdefg?. will this work?.

[host : : abcdefg*]

gcusello · ‎04-20-2023

Hi @krithikar,

it should woth also with wildcard, but if they aren't so many, you can create a stanza for each one.

Anyway, remember that you have to put this configuration in the first full Splunk instance that data passing through, in other words not on Universal Forwarders.

Check the choice to disable the inputs that's better and easier.

Ciao.

Giuseppe

gcusello · ‎04-20-2023

Hi @krithikar ,

if you want to delete all the logs from some servers, why don't you disable those inputs?

anyway, as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Filter_event...

you should try to put in props.conf:

[host::your_host]
TRANSFORMS-null= setnull

and in transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Ciao.

Giuseppe

krithikar · ‎04-21-2023

I would not be able to do the above as I would want to retain other data coming through from these hosts and want to route data only from a specific source type.

IN my case the index is source type and sources are common and global as they are coming through for wmi logs. I would want to use my sourcetype in the transforms and want to route this wmi data to null queue only for a set of servers

This is what i want to try , Will this work ?.

[WinEventLog]
TRANSFORMS-null_queue = setnull

[setnull]
REGEX = (?ms)(ComputerName=ABCD*.domain.com)
DEST_KEY=queue
FORMAT=nullQueue

Sample event : provide above

Want to route my WMI data to nullqueue , but only from a specific group of hosts

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases