https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28240#M4809 <P>Like Ayn says some more details would be useful.<BR /> Firstly your inputs.conf detail would explain in more detail how you have it configured (from the universal forwarder (UF).<BR /> Anyway, some basics to help-out.<BR /> The UF is installed onto your Windows machine and is configured via the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf">inputs.conf</A> and <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/outputsconf">outputs.conf</A> as to what log/file data it reads in and where and how it outputs it.<BR /> Assuming you are using all defaults and have just used the setup program for the forwarder to configure the UF it will do the following; output to port 9997 on your indexer and the default target index is main.<BR /> On your indexer you should then be able to do a search for;</P> <PRE><CODE>index=main </CODE></PRE> <P>and it will display all the contents of that index (by default any searches should happen there anyway on a new install but I thought I'd state it explicitly to help explain).</P> <P>If nothing is appearing then there could be any number of issues, the target indexer on the UF is wrong, the UF isn't configured to actually forward anything etc.</P> <P>Something that may be happening which isn't clear is that you are getting events but they appear un-usable to yourself as they are literally the textual content of an event-log. To make the data in events more useful you can perform <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample">field extractions</A> to create useful and interesting fields for searching / charting.</P> <P>Some other bits. I assume you have 9997 defined as a tcp input on the server from your last line, also make sure that any firewall on the system is configured to allow connections.</P> <P>If you wanted more help checking config detail or event data etc then please feel free to post some examples for us to check over.</P> Sun, 04 Dec 2011 23:42:50 GMT Drainy 2011-12-04T23:42:50Z https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28238#M4807 <P>Using Splunk indexer (Linux)+ Forwarder v4.2.4 at some Windows Servers. Forwarding is working but cant see details of the forwarded Window Eventlogs. Is there a HowTo that explains more than only adding a source listening to tcp:9997 to become a useable result in Splunk/Ux for Eventlogs?</P> Sun, 04 Dec 2011 00:40:35 GMT https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28238#M4807 sneuser 2011-12-04T00:40:35Z https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28239#M4808 <P>Please provide more details. Could you paste some sample events?</P> Sun, 04 Dec 2011 10:37:10 GMT https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28239#M4808 Ayn 2011-12-04T10:37:10Z https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28240#M4809 <P>Like Ayn says some more details would be useful.<BR /> Firstly your inputs.conf detail would explain in more detail how you have it configured (from the universal forwarder (UF).<BR /> Anyway, some basics to help-out.<BR /> The UF is installed onto your Windows machine and is configured via the <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf">inputs.conf</A> and <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/outputsconf">outputs.conf</A> as to what log/file data it reads in and where and how it outputs it.<BR /> Assuming you are using all defaults and have just used the setup program for the forwarder to configure the UF it will do the following; output to port 9997 on your indexer and the default target index is main.<BR /> On your indexer you should then be able to do a search for;</P> <PRE><CODE>index=main </CODE></PRE> <P>and it will display all the contents of that index (by default any searches should happen there anyway on a new install but I thought I'd state it explicitly to help explain).</P> <P>If nothing is appearing then there could be any number of issues, the target indexer on the UF is wrong, the UF isn't configured to actually forward anything etc.</P> <P>Something that may be happening which isn't clear is that you are getting events but they appear un-usable to yourself as they are literally the textual content of an event-log. To make the data in events more useful you can perform <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample">field extractions</A> to create useful and interesting fields for searching / charting.</P> <P>Some other bits. I assume you have 9997 defined as a tcp input on the server from your last line, also make sure that any firewall on the system is configured to allow connections.</P> <P>If you wanted more help checking config detail or event data etc then please feel free to post some examples for us to check over.</P> Sun, 04 Dec 2011 23:42:50 GMT https://community.splunk.com/t5/Getting-Data-In/formatting-Windows-Eventlog-in-Unix-Splunk/m-p/28240#M4809 Drainy 2011-12-04T23:42:50Z