https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111464#M23355 <P>change on Indexers and Heavy forwarders</P> Tue, 08 Apr 2014 18:19:06 GMT yannK 2014-04-08T18:19:06Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111457#M23348 <P>After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.</P> <P>I checked, and the reason is that the sourcetype name for the <STRONG>WinEventLog has a different case for the first letter of the channel</STRONG> :</P> <UL> <LI>WinEventLog:Security</LI> <LI>WinEventLog:System</LI> <LI>WinEventLog:Application</LI> <LI>WinEventLog:Capitalized-channel-name</LI> </UL> <P>became under <STRONG>Splunk 6 for Win 2003 only</STRONG></P> <UL> <LI>WinEventLog:security</LI> <LI>WinEventLog:system</LI> <LI>WinEventLog:application</LI> <LI>WinEventLog:smallcaps-channel-name</LI> </UL> <HR /> <P>FYI my filter on the indexers and heavy forwarders were :</P> <UL> <LI>in props.conf</LI> </UL> <P><CODE>[WinEventLog:Security]<BR /> TRANSFORMS-nullqueuefilter=MyNullQueueFilter<BR /> </CODE></P> <UL> <LI>in transforms.conf</LI> </UL> <P><CODE>[MyNullQueueFilter]<BR /> REGEX = (Windows Update) <BR /> DEST_KEY = queue <BR /> FORMAT = nullQueue<BR /> </CODE></P> Mon, 13 Jan 2014 22:39:58 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111457#M23348 yannK 2014-01-13T22:39:58Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111458#M23349 <P>This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1</P> <P>For the search, the sourcetypes are case insensitive, so you will find the events.<BR /> But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.</P> <P>Workaround :</P> <UL> <LI>change your props.conf to match all your formats</LI> </UL> <P>`<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-nullqueuefilter=MyNullQueueFilter</P> <P>[WinEventLog:security]<BR /> TRANSFORMS-nullqueuefilter=MyNullQueueFilter<BR /> ` </P> <UL> <LI>force the sourcetype name in the inputs.conf</LI> </UL> <P><CODE><BR /> [WinEventLog://Security]<BR /> sourcetype=WinEventLog:Security<BR /> </CODE></P> Mon, 13 Jan 2014 22:45:08 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111458#M23349 yannK 2014-01-13T22:45:08Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111459#M23350 <P>which inputs.conf should I change this in the apps or the system/local directory?</P> Mon, 31 Mar 2014 20:39:39 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111459#M23350 aberdamy 2014-03-31T20:39:39Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111460#M23351 <P>As you wish, <BR /> - system/local will always win, so this is a very definitive place to change<BR /> - While an app can be deployed easily to all instances using a deployment server</P> Mon, 31 Mar 2014 21:06:23 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111460#M23351 yannK 2014-03-31T21:06:23Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111461#M23352 <P>So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?</P> Tue, 01 Apr 2014 12:47:47 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111461#M23352 aberdamy 2014-04-01T12:47:47Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111462#M23353 <P>the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)</P> <P>If you had custom props.conf that were working, change they were they already exist.</P> Tue, 01 Apr 2014 16:54:17 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111462#M23353 yannK 2014-04-01T16:54:17Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111463#M23354 <P>Thank you for your response however I'm not sure what you're saying here could you please clarify?</P> Tue, 01 Apr 2014 19:50:42 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111463#M23354 aberdamy 2014-04-01T19:50:42Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111464#M23355 <P>change on Indexers and Heavy forwarders</P> Tue, 08 Apr 2014 18:19:06 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filters-failing-Windows-2003-and-splunk-6-SPL-78726/m-p/111464#M23355 yannK 2014-04-08T18:19:06Z