- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- I can not find "WinEventLog:Security" on the sourc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can not find "WinEventLog:Security" on the source type selection screen when uploading data.
And I can't find it in sourcetype list screen too.
However, the logs have a definite source type definition.
Is this a specification?
Also, if I want to display it on these screens,
Do I need to explicitly create a stanza in props.conf?
I hope someone can tell me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
The reason is that Splunk Add-on for Microsoft Windows is a TA and contains mainly what needs to be installed in the Indexer to properly break events and do other index time operations.
Having that in mind, it appears that WinEventLog:Security is a sourcetype that only needs search time extractions as you can see in the app https://splunkbase.splunk.com/app/1680/.
The Splunk App for Windows Infrastructure yes needs to be installed on the Search Head and actually does those search time extractions, and therefore will get you the sourcetype WinEventLog:Security as an option for uploading data.
To summarize: install Splunk App for Windows Infrastructure in the machine you want to have an option to choose WinEventLog:Security
Let me know if it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
The reason is that Splunk Add-on for Microsoft Windows is a TA and contains mainly what needs to be installed in the Indexer to properly break events and do other index time operations.
Having that in mind, it appears that WinEventLog:Security is a sourcetype that only needs search time extractions as you can see in the app https://splunkbase.splunk.com/app/1680/.
The Splunk App for Windows Infrastructure yes needs to be installed on the Search Head and actually does those search time extractions, and therefore will get you the sourcetype WinEventLog:Security as an option for uploading data.
To summarize: install Splunk App for Windows Infrastructure in the machine you want to have an option to choose WinEventLog:Security
Let me know if it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answer!
You means that sourcetype WinEventLog:Security is defined as just field sourcetype in index-time if I installed only Splunk Add-on for Microsoft Windows.
Also if I want add search-time settings to sourcetype WinEventLog:Security, I have to install The Splunk App for Windows Infrastructure right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that is correct, it is the safer procedure indeed.
Please accept the answer and upvote if it helped solve your issue
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
