- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Transforming Frowarded WinEvents
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transforming Frowarded WinEvents
Scenario:
Multiple WinHosts forwarding logs to separate Linux indexers using Splunk Forwarders.
Objective:
The ability to transform WinEvents using transforms.conf and props.conf
Situation:
Transforming data from local sources, such as syslog works without error. Transforming the forwarded events is not working. I am wondering if I need to specify the forwarded data in inputs.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a good example of filtering security events (in case you want to keep some of them).
Just remember the order is important - send to nullQueue first:
http://answers.splunk.com/answers/29218/filtering-windows-event-logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering windows events is a very common practice. It does work - I do it myself.
But, there are a number of things that can go wrong.
What exactly is the sourcetype? Where are you placing the configs, which files, and what are the configs?
Why do you think there is something wrong with the forwarded data - windows security logs are standard, but they can come from at least two different sources.
Did you restart Splunk on the indexer after you made the changes?
Lastly, you do know that these changes will not affect logs already indexed right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not working either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, if you want to be rid of all WinEventLog:Security, it's probably better to not monitor them in the first place. Other than that, it could be done like;
props.conf
[WinEventLog:Security]
TRANSFORMS-blah = discard
transforms.conf
[discard]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
This is not working for you?
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, that is not working for me. I think it has something to do with the events being forwarded.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Version = 5.0.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of splunk are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What parts of the events do you want transform, and why?
In any case, you do know that the props/transforms settings should be configured on the indexer, right?
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/k
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
