https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174024#M35029 <P>I have install UF on our central syslog server. that syslog server is getting logs from different network devices. <BR /> logs files are getting saved at /central/$devicename$<BR /> I wan to save logs under index = syslog_route index.</P> Mon, 21 May 2018 12:16:52 GMT riqbal 2018-05-21T12:16:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174017#M35022 <P>Our Splunk 6.1.5 environment is on Linux. We have universal forwarders installed on our windows machines. They are already forwarding data to index "os_windows". I have another index "test_application_index" that some of my servers are forwarding other types of logs. Now, I also need to forward the Windows event log "application" to this "test_application_index". <BR /> I know that I can add the following lines to "inputs.conf" file for the second app(index), but I am not sure if it is the correct way as we already have this information in "os_windows" and by doing this, we are indexing that data twice.</P> <P>Any suggestions?</P> <P>[WinEventLog:Application]<BR /> disabled = false<BR /> index=test_application_index</P> Mon, 28 Sep 2020 18:34:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174017#M35022 KooroshFooladba 2020-09-28T18:34:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174018#M35023 <P>You probably want an eventtype here. Then you can specify where your data lives a little more granular. Do this on the Searchheads and Indexers.</P> <PRE><CODE>eventtypes.conf [wineventlog_application] search = sourcetype=WinEventLog:Application index=os_windows OR index=test_application_index </CODE></PRE> <P>Then in your search bar, do this:</P> <PRE><CODE>eventtype=wineventlog_application | do_other_things_here </CODE></PRE> Tue, 06 Jan 2015 19:28:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174018#M35023 alacercogitatus 2015-01-06T19:28:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174019#M35024 <P>Thanks for the reply, please correct me if I am wrong,<BR /> by what you have mentioned I believe you are assuming that the wineventlog_application is already in both indexes which is not my case, my wineventlog_application is just in os_windows and I need to send it to test_application_index</P> Mon, 28 Sep 2020 18:34:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174019#M35024 KooroshFooladba 2020-09-28T18:34:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174020#M35025 <P>So then whereever that input "WinEventLog:Application" is being collected from, create a local/inputs.conf with this in it:</P> <PRE><CODE>[WinEventLog:Application] index = test_application_index </CODE></PRE> <P>This will override the input and put it into the new index. You can't (and shouldn't) send it to both, so anything using os_windows will stop working.</P> Tue, 06 Jan 2015 19:43:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174020#M35025 alacercogitatus 2015-01-06T19:43:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174021#M35026 <P>Yes, I assumed that I should add this lines to the inputs.conf of those machine (windows machines) forwarding the logs, but my concern or question is by doing that aren't we indexing same data twice? indexing in os_windows by default and indexing in test_application_index which will cost us the license usage.</P> <P>Thanks</P> Mon, 28 Sep 2020 18:34:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174021#M35026 KooroshFooladba 2020-09-28T18:34:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174022#M35027 <P>Nope, the config is overwritten - you won't see the same data in two different indexes unless you do some really fancy configurations. If you goto C:\Program Files\SplunkUniversalForwarder\bin, and run: </P> <PRE><CODE>./splunk.exe cmd btool --debug inputs list WinEventLog:Application </CODE></PRE> <P>You will see what values are set, and what file they come from.</P> Tue, 06 Jan 2015 20:19:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174022#M35027 alacercogitatus 2015-01-06T20:19:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174023#M35028 <P>Thanks,</P> <P>I will try it today and will confirm tomorrow.</P> Tue, 06 Jan 2015 20:25:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174023#M35028 KooroshFooladba 2015-01-06T20:25:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174024#M35029 <P>I have install UF on our central syslog server. that syslog server is getting logs from different network devices. <BR /> logs files are getting saved at /central/$devicename$<BR /> I wan to save logs under index = syslog_route index.</P> Mon, 21 May 2018 12:16:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-Windows-event-log-quot-application-quot-to-2/m-p/174024#M35029 riqbal 2018-05-21T12:16:52Z