https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152539#M97960 <P>Windows event log, I want to index only part of the message</P> <P>exemple </P> <P>LogName=Security <BR /> SourceName=<STRONG>Microsoft Windows security auditing.</STRONG><BR /> EventCode=5447 <BR /> EventType=0</P> <P>SourceName order to index only part of what should you do?</P> Mon, 17 Feb 2014 04:27:45 GMT mrain7 2014-02-17T04:27:45Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152539#M97960 <P>Windows event log, I want to index only part of the message</P> <P>exemple </P> <P>LogName=Security <BR /> SourceName=<STRONG>Microsoft Windows security auditing.</STRONG><BR /> EventCode=5447 <BR /> EventType=0</P> <P>SourceName order to index only part of what should you do?</P> Mon, 17 Feb 2014 04:27:45 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152539#M97960 mrain7 2014-02-17T04:27:45Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152540#M97961 <P>If you are running Splunk 6 on your forwarders, there are <A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/">options for filtering</A> what events and parts of the events you grab.</P> <P>Otherwise, you should check out the docs info on how to <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles">Anonymize data</A>, but rather than using the SED props configuration for anonymizing your data, you would be removing the parts you don't want to index.</P> <P>HTH,</P> <P>Dave</P> Mon, 17 Feb 2014 06:40:58 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152540#M97961 dshpritz 2014-02-17T06:40:58Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152541#M97962 <P>thank you </P> <P>but..i need message text hm..</P> Mon, 17 Feb 2014 07:31:51 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152541#M97962 mrain7 2014-02-17T07:31:51Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152542#M97963 <P>I'm sorry, I don't know what you mean by "text hm"</P> Mon, 17 Feb 2014 07:36:14 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152542#M97963 dshpritz 2014-02-17T07:36:14Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152543#M97964 <P>sorry.</P> <P>02/17/2014 01:33:30 PM <BR /> LogName=Security <BR /> SourceName=Microsoft Windows security auditing. <BR /> EventCode=4688 <BR /> EventType=0 <BR /> Type=정보 <BR /> ComputerName=NIG-PC <BR /> TaskCategory=프로세스 만들기 <BR /> OpCode=정보 <BR /> RecordNumber=4470383 <BR /> Keywords=감사 성공 <BR /> Message=<STRONG>새 프로세스가 만들어져 있습니다.</STRONG></P> <P>I want to index the part in bold.</P> <P>thanks</P> Mon, 17 Feb 2014 07:49:00 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152543#M97964 mrain7 2014-02-17T07:49:00Z https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152544#M97965 <P>No problem. In the props.conf on your indexer or heavy forwarder, you would need to add the following:</P> <P>[WinEventLog:Security]</P> <P>SED-remove_before_message = (?s).*(?=Message=)</P> Mon, 17 Feb 2014 07:55:25 GMT https://community.splunk.com/t5/Getting-Data-In/split-windows-event-log/m-p/152544#M97965 dshpritz 2014-02-17T07:55:25Z