Getting Data In

How do you use a CLONE_SOURCETYPE to parse a sourcetype?

gbeatty
Path Finder

Hi all,

I am trying to set up WindowsEventLog to send all events with EventCode=4648 to one index, wineventlog_4648, and the remainder to a second index, wineventlog.

My progress so far has leaned heavily on this answer: https://answers.splunk.com/answers/565511/can-i-use-clone-sourcetype-to-send-events-to-multi.html.

However, I have been unable to get it to work. Am I fundamentally misunderstanding how some of these fields operate? To start, I am fine with duplicate entries but have not been able to populate wineventlog_4648 with any events.

Any guidance would be greatly appreciated.


inputs.conf

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

props.conf

[WinEventLog://Security]
TRANSFORMS-WinEventLog_4648

transforms.conf

[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
SOURCE_KEY = field:EventCode
REGEX = /4648/
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
0 Karma
1 Solution

gbeatty
Path Finder

Hey @woodcock

Thanks for the help. You were right about the name in props.conf.

I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE

props.conf

[WinEventLog:Security]
TRANSFORMS-routing = routeSubset 

transform.conf

[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index

Thanks for helping me think of different ways to approach it.

View solution in original post

0 Karma

gbeatty
Path Finder

Hey @woodcock

Thanks for the help. You were right about the name in props.conf.

I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE

props.conf

[WinEventLog:Security]
TRANSFORMS-routing = routeSubset 

transform.conf

[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index

Thanks for helping me think of different ways to approach it.

0 Karma

woodcock
Esteemed Legend

I converted your comment to an answer. You should click Accept on it to close the question.

woodcock
Esteemed Legend

My other answer is true but you have other problems. This:

SOURCE_KEY = field:EventCode

Should be this:

SOURCE_KEY = EventCode

But even that won't work because the CLONE_SOURCETYPE feature is an index-time function and the EventCode field is not an index-time field so it doesn't yet exist to be used as SOURCE_KEY. Try this instead for transforms.conf:

[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
REGEX = EventCode=4648

woodcock
Esteemed Legend

Your problem is in props.conf. This part is wrong:

[WinEventLog://Security]

It must match your sourcetype value exactly, so it should probably be this (but check your events to be sure):

[WinEventLog:Security]

gbeatty
Path Finder

Unfortunately this did not solve it. Thank you though.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...