https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435260#M75938 <P>I'm trying to use advanced whitefilter, but I'm coming up short. Basically, I want to index all Windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for. </P> <P>Perhaps I can do transforms?</P> Mon, 28 Jan 2019 20:20:58 GMT tmontney 2019-01-28T20:20:58Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435260#M75938 <P>I'm trying to use advanced whitefilter, but I'm coming up short. Basically, I want to index all Windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for. </P> <P>Perhaps I can do transforms?</P> Mon, 28 Jan 2019 20:20:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435260#M75938 tmontney 2019-01-28T20:20:58Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435261#M75939 <P>Assuming you are using Universal Forwarders on your Windows servers, you could use the blacklist facility in <CODE>inputs.conf</CODE>.</P> <P>For example the Splunk Add-on for Microsoft Windows comes with this blacklist by default for security log events:</P> <PRE><CODE>[WinEventLog://Security] disabled = 1 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=false </CODE></PRE> <P>The reference documentation is here: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_whitelist_and_blacklist_formats">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_whitelist_and_blacklist_formats</A></P> Mon, 28 Jan 2019 20:49:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435261#M75939 ccl0utier 2019-01-28T20:49:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435262#M75940 <P>Well, I see the field "Level" in the XML of most event logs. Splunk isn't pulling that field by default. If I could get this field working, I could do it this way but not sure how the rendering of XML comes into play.</P> Mon, 28 Jan 2019 21:31:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435262#M75940 tmontney 2019-01-28T21:31:33Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435263#M75941 <P>What's your current setup to pull Windows Log Events into Splunk at the moment?<BR /> What do the events look like?</P> Mon, 28 Jan 2019 21:33:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435263#M75941 ccl0utier 2019-01-28T21:33:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435264#M75942 <P>Using the standard universal forwarder.</P> <PRE><CODE>[WinEventLog://Application] disabled = 0 index = wineventlog interval = 60 whitelist = 1000, 1001, 11707, 11724 </CODE></PRE> <P>Say for example I wanted to turn this into pulling only Critical level events. The Level field is numeric, always seems to be 1. I know it exists because I can see it in XML View in Event Log viewer, on a PC.</P> Mon, 28 Jan 2019 21:46:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435264#M75942 tmontney 2019-01-28T21:46:26Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435265#M75943 <P>I assume you could use the severity_id or severity field?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6458i5421030C763B79F0/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>If not, can you provide an example of your event data and how you'd like to filter them?</P> Mon, 28 Jan 2019 22:00:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435265#M75943 ccl0utier 2019-01-28T22:00:46Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435266#M75944 <P>If severity ID maps to Level, sure. I'm not seeing that referenced in the docs. Just take your event log and filter for Critical. That's all I'm looking for.</P> Mon, 28 Jan 2019 22:28:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435266#M75944 tmontney 2019-01-28T22:28:19Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435267#M75945 <P>I don't have any in my test env.</P> Mon, 28 Jan 2019 22:49:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435267#M75945 ccl0utier 2019-01-28T22:49:47Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435268#M75946 <P>You can use any of them, like Error or Warning.</P> Mon, 28 Jan 2019 22:57:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435268#M75946 tmontney 2019-01-28T22:57:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435269#M75947 <P>Not exactly what you are looking for, I know, but you could try to blacklist unwanted events instead and see if that works for you:</P> <PRE><CODE>blacklist = Type="(Information)" </CODE></PRE> <P>Alternatively, you could run a network trace to see if the level field is collected by the Splunk UF and in what form and then whitelist only that. I'll try to set that up in my lab and see what I get.</P> Wed, 30 Jan 2019 13:59:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-index-only-critical-events/m-p/435269#M75947 ccl0utier 2019-01-30T13:59:56Z