Can you send the same event log to two different Indexes in the same app?

Gregski11 — Tue, 13 Jun 2023 13:19:12 GMT

so we have a Deployment Server with an application on there that already sends the three basic Windows Event logs (Application, Security, and System) to an Index say called EventLogs. Can we in the same app have the same three logs be sent to a second Index say called EventLogs2?

I know this may sound a bit crazy but this is just for troubleshooting and will be only implemented for a couple days.

the inputs.conf stanzas look something like this:

[WinEventLog://System]
index=EventLogs
disabled = false

[WinEventLog://System]
index=EventLogs2
disabled = false

Re: Can you send the same Event Log to two different Indexes in the same app?

paulcurry — Mon, 12 Jun 2023 22:44:18 GMT

I'd be interested in this as well. However, you could have a scheduled job to export the logs to a file on the windows machine, the put a Monitor stanza in the inputs.conf to go to another index as a workaround. Just trying to think of other ways just in case.

topic Can you send the same event log to two different Indexes in the same app? in Splunk Enterprise

Can you send the same event log to two different Indexes in the same app?

Re: Can you send the same Event Log to two different Indexes in the same app?