I recently installed the newest UF on a server to test before rolling out to the rest of the environment. I am able to monitor log files on the filesystem, but not wineventlogs. I verified the configuration is correct. Is there a bug with this UF?
Any assistance would be appreciated.
I figured it out. There is a statement in the props.conf on the indexers that deletes wineventlog:application data that does not match some regex value. I will need to modify this statement.
Thanks
I figured it out. There is a statement in the props.conf on the indexers that deletes wineventlog:application data that does not match some regex value. I will need to modify this statement.
Thanks
@linu1988 thanks for the reply. Will using SOURCE_KEY = MetaData:Host make the REGEX = test123 match on the host sending the log, or will it match on characters within the log itself. I should have clarified that I have used the DEST_KEY = queue and FORMAT = indexQueue successfully in the past.
Thanks
indexQueue is mentioned, so it will be indexed. Refer the document
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline
I do have another question pertaining to the transforms.conf file. Would the below config route all logs to the normal queue for host test123?
[keep_test123_data]
SOURCE_KEY = MetaData:Host
REGEX = test123
DEST_KEY = queue
FORMAT = indexQueue
inputs.conf:
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = techsvcs
As far as I can tell, this is the same wineventlog configuration that I have working on other versions of UF.
There is also an outputs app that is working for 40+ other servers that is applied to this server to indicate how to send data to the indexers.
it works on server 2008 i have tested, could you post your configuration?