https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162297#M32949 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/142467">@linu1988</a> thanks for the reply. Will using SOURCE_KEY = MetaData:Host make the REGEX = test123 match on the host sending the log, or will it match on characters within the log itself. I should have clarified that I have used the DEST_KEY = queue and FORMAT = indexQueue successfully in the past.</P> <P>Thanks</P> Mon, 28 Sep 2020 17:12:59 GMT jodros 2020-09-28T17:12:59Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162291#M32943 <P>I recently installed the newest UF on a server to test before rolling out to the rest of the environment. I am able to monitor log files on the filesystem, but not wineventlogs. I verified the configuration is correct. Is there a bug with this UF?</P> <P>Any assistance would be appreciated.</P> Tue, 29 Jul 2014 19:02:24 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162291#M32943 jodros 2014-07-29T19:02:24Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162292#M32944 <P>it works on server 2008 i have tested, could you post your configuration?</P> Tue, 29 Jul 2014 19:23:10 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162292#M32944 linu1988 2014-07-29T19:23:10Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162293#M32945 <P>inputs.conf:<BR /> [WinEventLog:Application]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index = techsvcs</P> <P>As far as I can tell, this is the same wineventlog configuration that I have working on other versions of UF.</P> <P>There is also an outputs app that is working for 40+ other servers that is applied to this server to indicate how to send data to the indexers.</P> Mon, 28 Sep 2020 17:12:21 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162293#M32945 jodros 2020-09-28T17:12:21Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162294#M32946 <P>I figured it out. There is a statement in the props.conf on the indexers that deletes wineventlog:application data that does not match some regex value. I will need to modify this statement.<BR /> Thanks</P> Tue, 29 Jul 2014 20:15:06 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162294#M32946 jodros 2014-07-29T20:15:06Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162295#M32947 <P>I do have another question pertaining to the transforms.conf file. Would the below config route all logs to the normal queue for host test123?</P> <P>[keep_test123_data]<BR /> SOURCE_KEY = MetaData:Host<BR /> REGEX = test123<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Mon, 28 Sep 2020 17:12:24 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162295#M32947 jodros 2020-09-28T17:12:24Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162296#M32948 <P>indexQueue is mentioned, so it will be indexed. Refer the document </P> <P><CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline</A></CODE></P> Wed, 30 Jul 2014 09:50:55 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162296#M32948 linu1988 2014-07-30T09:50:55Z https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162297#M32949 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/142467">@linu1988</a> thanks for the reply. Will using SOURCE_KEY = MetaData:Host make the REGEX = test123 match on the host sending the log, or will it match on characters within the log itself. I should have clarified that I have used the DEST_KEY = queue and FORMAT = indexQueue successfully in the past.</P> <P>Thanks</P> Mon, 28 Sep 2020 17:12:59 GMT https://community.splunk.com/t5/Getting-Data-In/No-Wineventlogs-With-Universal-Forwarder-6-1-2-on-Windows-Server/m-p/162297#M32949 jodros 2020-09-28T17:12:59Z