Hi,
I am running 6.5.2 and using WMI to get Windows Event log data into Splunk. Currently I’m pulling in Application and System logs and trying to filter what I pull in/index. I’d like to not have informational logs pulled in. I’ve tried a number of different ways to do this but nothing seems to be working. All files I am modifying are in C:\Program Files\Splunk\etc\system\local. To test I am making changes to the files and then ‘searching’ for “| extract reload=t”. My search time is 1 minute but I don’t think that should matter for the purpose of reloading the files.
Inputs.conf
[WinEventLog:System] (I’ve also tried [WinEventLog://System] )
blacklist = Information
blacklist1 = 7036 (EventCode which I am trying to test on)
However, I’m not even sure inputs.conf can filter on event log info pulled in via WMI. From the inputs.conf docs under Windows Event Log Monitor section “Note: The WinEventLog stanza is for local systems only. To define event log monitor inputs for remote machines, use wmi.conf.” Can anyone confirm or deny this? wmi.conf doesn't seem to have any ability to filter like this. So I tried transforms and props.
transforms.conf
[setnulla]
REGEX=(?msi)^EventCode=(7036)
DEST_KEY=queue
FORMAT=nullQueue
I’ve also trued REGEX=Type=Information
props.conf
[WMI:wmiTest]
TRANSFORMS-set = setnulla
I’ve also tried `[WMI:WinEventLog:System], [WMI:WinEventLog:*], [WinEventLog:System], and [WinEventLog:*]`. However, nothing I change makes any difference. Any help would be greatly appreciated. I’ve looked at a number of posts, including:
https://answers.splunk.com/answers/91173/multiple-wmi-sources-in-props-conf.html
https://answers.splunk.com/answers/498277/how-to-filter-or-blacklist-all-event-typelevel-inf.html
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.html
Thanks
↧