https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187055#M53909 <P>Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.</P> <P>[WinEventLog://Application]<BR /> checkpointInterval = 5<BR /> current_only = 0<BR /> disabled = 0<BR /> start_from = oldest<BR /> index=machine<BR /> [WinEventLog://System]<BR /> checkpointInterval = 5<BR /> current_only = 0<BR /> disabled = 0<BR /> start_from = oldest<BR /> index=machine</P> <P>Props.conf<BR /> [WinEventLog:Application]<BR /> TRANSFORMS-FilterEvents = Win_App_Log_FilterErrorEvents</P> <P>[WinEventLog:System]<BR /> TRANSFORMS-FilterEvents = Win_Sys_Log_FilterErrorEvent</P> <P>transform.conf</P> <P>[Win_App_Log_FilterErrorEvents]<BR /> REGEX = (?ism)Type=Error|Critical<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[Win_Sys_Log_FilterErrorEvent]<BR /> REGEX = (?ism)Type=Error|Critical<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>This is for the security event log</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 0<BR /> checkpointInterval = 5<BR /> whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141<BR /> index = labser_av_ads</P> <P>I cant' see anything wrong with this.</P> Mon, 28 Sep 2020 15:31:56 GMT mileven 2020-09-28T15:31:56Z https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187055#M53909 <P>Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.</P> <P>[WinEventLog://Application]<BR /> checkpointInterval = 5<BR /> current_only = 0<BR /> disabled = 0<BR /> start_from = oldest<BR /> index=machine<BR /> [WinEventLog://System]<BR /> checkpointInterval = 5<BR /> current_only = 0<BR /> disabled = 0<BR /> start_from = oldest<BR /> index=machine</P> <P>Props.conf<BR /> [WinEventLog:Application]<BR /> TRANSFORMS-FilterEvents = Win_App_Log_FilterErrorEvents</P> <P>[WinEventLog:System]<BR /> TRANSFORMS-FilterEvents = Win_Sys_Log_FilterErrorEvent</P> <P>transform.conf</P> <P>[Win_App_Log_FilterErrorEvents]<BR /> REGEX = (?ism)Type=Error|Critical<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[Win_Sys_Log_FilterErrorEvent]<BR /> REGEX = (?ism)Type=Error|Critical<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>This is for the security event log</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 0<BR /> checkpointInterval = 5<BR /> whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141<BR /> index = labser_av_ads</P> <P>I cant' see anything wrong with this.</P> Mon, 28 Sep 2020 15:31:56 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187055#M53909 mileven 2020-09-28T15:31:56Z https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187056#M53910 <P>So what behavior are you seeing? BTW, why do you have <CODE>[WinEventLog://Application]</CODE> instead of just <CODE>[WinEventLog:Application]</CODE>? What's the "<CODE>\\</CODE>" for?</P> Fri, 20 Dec 2013 23:35:03 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187056#M53910 Lowell 2013-12-20T23:35:03Z https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187057#M53911 <P>See this answer for the indextime index routing.<BR /> <A href="http://answers.splunk.com/answers/76609/routing-window-system-logs-to-a-different-index">http://answers.splunk.com/answers/76609/routing-window-system-logs-to-a-different-index</A></P> Sat, 21 Dec 2013 00:55:04 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-send-WindowsEventlogs-to-different-index/m-p/187057#M53911 yannK 2013-12-21T00:55:04Z