Getting Data In

Splunk Receiving

fk319
Builder

I have several servers sending WinEventLogs to my server. I have not control of the remote servers, so I would like to put them in their own indexes. All of this is in its own application, WinEvent.

Here I am trying to catch the incoming data and force it to be processed via props.conf by re-routing. It does not seem to work. Below that, I tried to use sourcetype to index the data. The host names are [not really] winsql, winmail, winexchage.

[splunktcp://win*:9997]
route = has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue
index = winevent
disabled = o

[WinEventLog:System]
disabled = 0
index = winsys

[WinEventLog:Security]
disabled = 0
index = winsec

[WinEventLog:Application]
disabled = 0
index = winapp

here is my props.conf

[WinEventLog...]
TRANSFORMS-WinApp = WinEvent_App
TRANSFORMS-WinSec = WinEvent_Sec
TRANSFORMS-WinSys = WinEvent_Sys

and finaly my transforms.conf

[WinEvent_App]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Application)
FORMAT = index::winapp
DEST_KEY = _MetaData:Index

[WinEvent_Sec]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Security)
FORMAT = index::winsec
DEST_KEY = _MetaData:Index

[WinEvent_Sys]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog:System
FORMAT = index::winsys
DEST_KEY = _MetaData:Index

I have been unable to move the incoming data from the default index=main to any of my new indexes.

any suggestions?

Tags (2)
1 Solution

jlunk
Engager

Could it be that there is a typo in the inputs?

disabled = o

That's a lower-case letter 'O'

View solution in original post

sdwilkerson
Contributor

fk319,

I agree with jlunk that the problem might be your disabled line.

Since you do not control the remote systems, it is possible that a configuration is not exactly as you would like it to be.
If you choose to force/override the metadata settings you can do this. If the remote systems are Universal Forwarders, then you can install your props/transforms on the receiver of their data to override the index metadata. Is this where you have setup your props/transforms referenced above or did you put it on the Universal Forwarder doing the collection?

Note, for troubleshooting, if you are not doing encryption, you can do a packet-capture on port 9997 on your receiver to look at the data coming from these systems. You will be able to clearly see the metadata settings in the pcap and can see if they are being set by the sending host.

Sean

0 Karma

jlunk
Engager

Could it be that there is a typo in the inputs?

disabled = o

That's a lower-case letter 'O'

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...