Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to route window system logs to a different index

usup_rajbahak
Path Finder
‎02-20-2013 01:07 PM

Hey there,

I have a windows forwarder sending the servers's application, system and security logs to the indexers. I need to route only the security logs to a different index. I've tried a few different things but none seem to be working. This is my latest config

props.conf
[WinEventLog]
TRANSFORMS-FIELDS = WinEventLog

transforms.conf
[WinEventLog]
SOURCE_KEY=sourcetype
REGEX=source=WinEventLog:Security
DEST_KEY=_Metadata:Index
FORMAT=Security

What am I doing wrong here? Thanks a lot

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 04:27 AM

Why don't you set the proper index on input in the first place?

0 Karma
Reply

jonasmeier
Explorer
‎04-08-2022 05:18 AM

Any case where a deployed inputs.conf can not be accessed or changed. my szenario was attaching new indexers to an existing infrastructure as preparation for a migration.  But index names also changed so for a specific period we had to write events to two different indexes on different indexers. Kind of special case though.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 05:22 AM

Baaah, I didn't notice it was a "golden shovel" post 😉

Of course, in some special cases one can use the index-time manipulation of metadata fields but in general if you can set the metadata right from the start, you should use that functionality. It's good to keep things simple and consistent. Forgotten custom solutions tend to bite you in the rear end in the least appropriate moment 🙂

0 Karma
Reply

usup_rajbahak
Path Finder
‎02-20-2013 01:40 PM

hey Ayn,

thanks for yoour reply. The logs are still going to the main index.

Here's my latest transforms.conf config

[WinEventLog]
SOURCE_KEY=MetaData:Sourcetype
REGEX=WinEventLog:Security
DEST_KEY=_MetaData:Index
FORMAT=Security

And I restarted splunkd after making the changes.

0 Karma
Reply

jonasmeier
Explorer
‎04-08-2022 03:49 AM

Years later 🙂

According to https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#KEYS: the correct solution was:

[WinEventLog]
SOURCE_KEY=MetaData:Sourcetype
REGEX=sourcetype::WinEventLog:Security
DEST_KEY=_MetaData:IndexFORMAT=Security

 

Probs:

- Syntax for indexes fields (:: instead of 😃 has to be used in  REGEX

-There was a mix between sourcetype (in SOURCE_KEY) and source (in REGEX)

-case sensitivity of indexes is delicate, so I would always only use lowercase (FORMAT)

 

As of Splunk Add-on for Windows >=5.0.0  sourcetype contains only "WinEventLog" (or XmlWinEventLog) for all EventLogs, so the correct solution to specifically route WinEventLog:Security is:

[WinEventLogSecurityRouting]
SOURCE_KEY=MetaData:Source
REGEX=source::WinEventLog:Security
DEST_KEY=_MetaData:Index
FORMAT=security

 

 

0 Karma
Reply

Ayn
Legend
‎02-20-2013 01:24 PM

I see a couple of issues with how you've set things up.

  • SOURCE_KEY shouldn't be just "sourcetype", it should be "MetaData:Sourcetype".
  • DEST_KEY should start with "_MetaData", not "_Metadata" (note the capital D).
  • The "MetaData:Sourcetype" value will be simply the string specifying the sourcetype, so "source=WinEventLog:Security" will not match. Perhaps you want to match on just "WinEventLog:Security"?
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...