topic Re: Add field to windows event in Getting Data In

Add field to windows event

Policello — Wed, 13 Jan 2021 08:53:46 GMT

Hello,

Is it possible to add fields to the windows event collected by a forwarder ?

I would like to add an environment variable before it is indexed.

Something like :

[WinEventLog://Application] disabled = 0 index=tiktak whitelist=SourceName="Tiktak*" addField=Cluster=$OM_CLUSTER_ID$

Thanks in advance

Re: Add field to windows event

gcusello — Wed, 13 Jan 2021 12:26:42 GMT

Hi @Policello,

do you want to add this environment variable to other events or check this variable?

in the first case I don't know how to do,.

In the second one, you could create a script that reads the environment variables and run it in a scripted input.

In other words, you have to :

create a script (called e.g. env.bat) containing the "set" command and put it in the "bin" folder of an app;
create a scripted input in inpus.conf of the same app, like this:

[script://../bin/end.bat] interval=3600 disabled = 0 index=tiktak sourcetype=env

deploy the app to the Forwarder.

Ciao.

Giuseppe

Re: Add field to windows event

Policello — Wed, 13 Jan 2021 14:30:01 GMT

Ciao @gcusello,

Thank you for your answer.

However I think I want to do the first case because I would like the value of the environment variable to be added to all indexed events :

LogName=Application SourceName=TikTakTok EventCode=0 EventType=4 Type=Information ComputerName=Server0001 TaskCategory=None OpCode=Info RecordNumber=44767 Keywords=Classic Message=Service started successfully. AddedField=$env:Variable

Re: Add field to windows event

gcusello — Thu, 14 Jan 2021 09:46:48 GMT

hi @Policello,

for my knowledge, I don't think that's possible, maybe someone else has a different solution!

Verify if the other choice is compatible with your needs.

Ciao and happy splunking.

Giuseppe