https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74614#M15244 <P>That's a good point. I will send this to the docs team and them updated.</P> <P>Thanks!</P> Thu, 21 Oct 2010 23:07:32 GMT Ledio_Ago 2010-10-21T23:07:32Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74611#M15241 <P>I am at a site where we are using a Splunk Forwarder to mount a DFS share and read EVTX Archive Files placed there by another entity.</P> <P>The Splunk Forwarder is 4.1.5 x64 on Windows 2008. The Splunk Forwarder is also a Search Head federating search requests to the same indexer where it is sending these evtx logs (not that it should make a difference).</P> <P>There are no problems with the reads/parse of the EVTX files; however, we appear to have a problem with modifying the Splunk Metadata for these events.</P> <P>Ideally, we would customize the <I>Index</I> field. This appears to not work.</P> <P>In the <I>inputs.conf</I> I have tried setting the <I>index</I> and the <I>sourcetype</I> but no matter what I enter, here is where the events show up:</P> <UL> <LI>index=main</LI> <LI>sourcetype=WinEventLog:Security</LI> </UL> <P>I have also tried using props/transforms to set the Metatdata DEST_KEY on both the Forwarder and the Indexer (several ways). No matter, what I select or set, it appears that I can have no impact on the <I>index</I> or <I>sourcetype</I>.</P> <P>My thought is that since the evtx files are binary, that a separate process handles these that isn't accepting modification.</P> <P>Is this crazy or some limitation of the (evt|evtx) parser?</P> <P>Sean</P> Thu, 21 Oct 2010 07:05:20 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74611#M15241 sdwilkerson 2010-10-21T07:05:20Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74612#M15242 <P>Sean, that is true. You can't set index, source or any other metadata for ".evt(x)" type inputs. There is a special process that does the parsing, instead of the tailing processor, and it doesn't support setting those type of metadata.</P> <P>This has been fixed and will be shipped with next major version of Splunk, 4.2</P> <P>Thanks, Ledio </P> Thu, 21 Oct 2010 08:07:17 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74612#M15242 Ledio_Ago 2010-10-21T08:07:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74613#M15243 <P>Ledio,<BR /> Much appreciated. I thought I was going nuts. Wish the docs had warned me.<BR /> Sean</P> Thu, 21 Oct 2010 08:20:09 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74613#M15243 sdwilkerson 2010-10-21T08:20:09Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74614#M15244 <P>That's a good point. I will send this to the docs team and them updated.</P> <P>Thanks!</P> Thu, 21 Oct 2010 23:07:32 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74614#M15244 Ledio_Ago 2010-10-21T23:07:32Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74615#M15245 <P>Done. (from the docs team)</P> Fri, 22 Oct 2010 02:51:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Metadata-for-Windows-EVTX-Files/m-p/74615#M15245 malmoore 2010-10-22T02:51:25Z