Getting Data In

Can't find the right source type

pme
New Member

Hello,

I got a problem in defining source type to get logs from a windows host on my lan.

I receive the logs over tcp on port 30000. I get the logs but they'rent parse well.

Which source type should i choose for my log to be parsed ?

The logs are the WinEventLog:Security - Application and system and what i receive is somthing like that :

4/25/13 4:23:22.000 x86yxB3z+9kgxE7x00x00x18x009x008x005x003x002x00/x00x16x00x13x00 host=10.1.1.2 sourcetype=WinEventLog source=tcp:30333 source=tcp:30000

As i configure my input data, i don't see any source type that match.

Also, can i parse my data at the source on the universal forwarder?

Thank you in advance for your response,

PM

Tags (1)
0 Karma

Ayn
Legend

Judging by your questions so far I think a good thing for you would be to take the Splunk tutorial first of all (no offense - it's just very good at introducing all kinds of concepts!). For instance, you're asking if you can parse data on the universal forwarder - for one, most "parsing" in Splunk is done at search-time so it would make no sense to attempt it on a forwarder. Secondly, forwarders do not perform any other kind of parsing either, so the answer in either case would be no.

To me it looks like you're sending cooked data from a forwarder to a non-cooked (raw) TCP port on the indexer. You should not be setting up raw TCP inputs on the indexer for this, you should be configuring these ports as receiving ports in the "forwarding and receiving" section of the manager.

pme
New Member

Thank you for your response,

The logs are the WinEventLog:Security - Application and system and what i receive is somthing like that :

4/25/13 4:23:22.000
\x86y\xB3z+9kg\xE7\x00\x00\x18\x009\x008\x005\x003\x002\x00/\x00\x16\x00\x13\x00
host=10.1.1.2 sourcetype=WinEventLog source=tcp:30333 source=tcp:30000

As i configure my input data, i don't see any source type that match.

Also, can i parse my data at the source on the universal forwarder?

Thank you in advance for your response,

PM

0 Karma

kristian_kolb
Ultra Champion

What are the logs?
You could set a predefined sourcetype if that is what you're sending. Or you start indexing your files, set whatever sourcetype you want, and create the parsing as you go along.

Remember that you can set the field extractions on already indexed data retroactively.

/K

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...