https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215157#M42356 <P>Hi,</P> <P>In our environment, many applications are logging into the Windows Application Event log.<BR /> We would like to transport it separately.</P> <P>Is it possible to transport data from a Windows Event log View?</P> <P>-Jens</P> Mon, 22 Feb 2016 15:14:43 GMT JensT 2016-02-22T15:14:43Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215157#M42356 <P>Hi,</P> <P>In our environment, many applications are logging into the Windows Application Event log.<BR /> We would like to transport it separately.</P> <P>Is it possible to transport data from a Windows Event log View?</P> <P>-Jens</P> Mon, 22 Feb 2016 15:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215157#M42356 JensT 2016-02-22T15:14:43Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215158#M42357 <P>Yes it's possible.<BR /> Take a look at this:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Monitorwindowseventlogdata</A></P> <P>In principle you would need something like the following in your inputs.conf file:</P> <PRE><CODE>[WinEventLog://Application] disabled = 0 start_from = oldest index = yourindexname </CODE></PRE> <P>Then simply search from your GUI with:</P> <PRE><CODE> index=yourindexname sourcetype=WinEventLog:Application </CODE></PRE> <P>The default sourcetype for Windows Application Logs is the one I specified above, but you can change this (not recommended as it'll have a major impact on parsing, etc).</P> Mon, 22 Feb 2016 15:49:16 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215158#M42357 javiergn 2016-02-22T15:49:16Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215159#M42358 <P>Hello,</P> <P>I do not want all Application Eventlogs. I want only logs from a VIEW.<BR /> And no, I do not want to use blacklist/whitelist.</P> <P>Regards,<BR /> Jens</P> Mon, 22 Feb 2016 15:59:07 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215159#M42358 JensT 2016-02-22T15:59:07Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215160#M42359 <P>If your view has a unique path you can do it this way:</P> <PRE><CODE> [WinEventLog://Path-To-Your-View] disabled = 0 start_from = oldest index = yourindexname </CODE></PRE> <P>For example:</P> <PRE><CODE>[WinEventLog://Microsoft-Windows-TaskScheduler/Operational] </CODE></PRE> <P>If that doesn't work for you, do you have any other way to uniquely identify those logs you are planning to collect? Is there a field that is unique for those events? If that's the case, blacklists and whitelists might be the only reasonable way even if you don't want to use them.</P> Mon, 22 Feb 2016 16:23:05 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215160#M42359 javiergn 2016-02-22T16:23:05Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215161#M42360 <P>You do not have to use Splunk's built-in <CODE>WinEventLog</CODE> facility. You can use the native Windows facilities to write a subset of logs to a directory/file and the use normal Splunk directory/file monitoring to forward them in.</P> Mon, 22 Feb 2016 18:48:44 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-transport-data-from-a-Windows-event-log-view/m-p/215161#M42360 woodcock 2016-02-22T18:48:44Z