sending WinEventLog://Application to different ind...

usd0872 · ‎01-22-2016

I have the following requirement:
<ul>
<li> send WinEventLog://Application , except for one specific EventCode to one index</li>
<li> send that specific EventCode to another index</li>
</ul>
While I can get one of both requirements to work at a time, I can't figure out how to do do both simultaneously.

In one forwarder app my inputs.conf looks like this:
<pre>
[WinEventLog://Application]
disabled = false
blacklist = 33205
index = index1
</pre>
and in the other one I have
<pre>
[WinEventLog://Application]
disabled = false
whitelist = 33205
index = index2
</pre>

Anyone got something like this to work without resolving to props.conf/transforms.conf magic on the indexers? (Which I want to avoid, due to the sheer data volume.)

Is it maybe not possible to have two input stanzas for WinEventLog://Application?

(UFW: v6.2.1 / servers: v6.2.4)

somesoni2 · ‎01-22-2016

Try something like this

inputs.conf

[WinEventLog://Application]
disabled = false
blacklist = 33205
index = index1

props.conf (on Indexer/Heavy forwarder)

[WinEventLog:Application]
TRANSFORMS-idx_assign = assign_idx

transforms.conf (on Indexer/Heavy forwarder)

 [assign_idx]
 DEST_KEY = _MetaData:Index
REGEX=(?m)EventCode\s*=\s*PUT_YOUR_SPECIFIC_EVENTCODE_HERE.*
 FORMAT = index2

sending WinEventLog://Application to different indexes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life