I have a custom Windows Event Log source that I want to monitor via an universal forwarder.
I'd like to split the events into 2 buckets resulting in 2 different source types in Splunk:
-first bucket is a made of a list of known codes
-second bucket is made of the rest of the events
in inputs.conf of the universal forwarder, I added the following Stanza
[WinEventLog://MyCustomSource]
disabled = 0
start_from = oldest
sourcetype=WinEventLogGeneric
blacklist=10001
[WinEventLog://MyCustomSource]
disabled = 0
start_from = oldest
sourcetype=WinEventLogWellKnownEvents
whitelist=10001
This does not seem to work.
My goal is to end up with 2 different source types, one for the generic events and one for well known events.
How can I do that?
... View more