topic Re: Extracting fields from imported Windows Event Logs (text format) in Splunk Search

Extracting fields from imported Windows Event Logs (text format)

rturk — Fri, 30 Aug 2013 02:00:49 GMT

Hi Splunkers & Splunkettes,

I have a Splunk Indexer/Search Head running on a WIndows platform and I'm trying to import a text file containing archived Windows Event Log (Application) events as you would any other type of log file.

[monitor://<path_to_file>/WindowsEventLog_Application.txt]
followTail = 0
host_segment = 3
index = winevents
sourcetype = WinEventLog:Application
queue = parsingQueue

The issue is, no field extractions take place for the events I put in by this method, but they do work for events collected locally via the [WindowsEventLog:Application] in the inputs.conf.

So despite both:

Have the same sourcetype (WinEventLog:Application)
Are in the same index
Are accessed & visible in the same app

One works (the local event log interrogation), and one doesn't (mine :P)

I'd rather not reinvent the wheel and create all new props & transforms, when it's obviously in there and working for other data.

Any ideas?

PS. Splunk has been restarted.

Re: Extracting fields from imported Windows Event Logs (text format)

rturk — Fri, 30 Aug 2013 04:12:30 GMT

So I've made a bit of a work-around, but I'd still be interested to know why an existing sourcetype doesn't apply to my data when they are the same.

props.conf

[WindowsEventLog:Application]
REPORT-header_kv_extract = WinEventLog-kv_colon

transforms.conf

[WinEventLog-kv_colon]
REGEX = ^\s{2}([^:]+):\s+([^\n]+)
FORMAT = $1::$2

This performed my key/value extractions (for the time being).

Re: Extracting fields from imported Windows Event Logs (text format)

gkanapathy — Fri, 30 Aug 2013 05:36:09 GMT

Well, you can see the extractions in the $SPLUNK_HOME/etc/system/default/props.conf. If you look there, you'll see that the extractions are based not on the sourcetype, but on the source. Since your source is different, it doesn't work. Now, you could also make it work by overriding your source with a "source = WinEventLog:Application" setting in inputs.conf. Though probably you don't want to.

Re: Extracting fields from imported Windows Event Logs (text format)

gkanapathy — Fri, 30 Aug 2013 05:37:29 GMT

I assume it's a typo that you have WindowsEventLog in your stanza header rather than WinEventLog

Re: Extracting fields from imported Windows Event Logs (text format)

rturk — Sat, 31 Aug 2013 01:31:19 GMT

Yep that's a typo (couldn't copy & paste as I was on another server)

Re: Extracting fields from imported Windows Event Logs (text format)

rturk — Sat, 31 Aug 2013 01:32:51 GMT

Cheers, I'll give that a try (although I think I did override the source, resulting in the host extraction via 'host_segment' not working). I'll test it and let you know.