I'm trying to set up Windows Event Log collection via chained Universal Forwarders to my Indexer. I'm not able to set the index in inputs.conf so am trying to set it on the indexer but with no luck. I'm also manipulating the source ype and host field to show the original values, which is working fine.
So far I have:
props.conf
[source::WinEventLog:ForwardedEvents]
TRANSFORMS-Index = Set-Index
TRANSFORMS-Host = Set-Host-ComputerName
TRANSFORMS-LogName = Set-Sourcetype-LogName
transforms.conf
[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX source::WinEventLog:ForwardedEvents
DEST_KEY = _MetaData:Index
FORMAT = index::MyIndex**
[Set-Host-ComputerName]
REGEX = (?m)ComputerName=(.*)?\b
DEST_KEY = MetaData:Host
FORMAT = host::$1
[Set-Sourcetype-LogName]
REGEX = (?m)LogName=(.*)?\b
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::WinEventLog:$1
My struggle is with setting the index at index time.
Okay, that looks much better. Did you restart the indexer after making the change?
Okay, that looks much better. Did you restart the indexer after making the change?
You need something that matches - could be what you have now, could just be this:
[Set-Index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = MyIndex
That'd match "raw event has at least one char", ie every event.
That's now working! Thanks. Just a though, do I need the SOURCE_KEY
part?
Thanks Martin! That's working now. I must admit I'm still fuzzy on the why but I'm getting there. Many more Splunk Docs to read!
Okay... next weird thing, the _MetaData:Index
key doesn't want an index::
prefix - and I'm guessing the **
is not actually in your conf?
OK, I now have this:
transforms.conf
[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX = source::WinEventLog:ForwardedEvents
DEST_KEY = _MetaData:Index
FORMAT = MyIndex
The logs are still hitting the main index.
Make sure there's an equals sign after REGEX
in line 10.
Thanks, just spotted that. Corrected but logs still aren't being match or changed. So either the Regex is wrong or..?