All Apps and Add-ons

Is there a template for the advanced configuration options of Splunk Add-on for Microsoft Windows?

sloshburch
Splunk Employee
Splunk Employee

I want to reduce index volume by taking advantage of the advanced configuration options to remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events by using SEDCMD as introduced in the Configure props.conf section of Configure the Splunk Add-on for Windows documentation.

To reduce human error and reinventing the wheel, would anyone who created this be willing to share that part of their configuration file?

1 Solution

sloshburch
Splunk Employee
Splunk Employee

The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Absolutely! Here's just those sections. Notice that the explanations still live in the Splunk_TA_windows/default/props.conf so read there to better understand what you're doing.

Make sure you append this to (or create) a Splunk_TA_windows/local/props.conf:

## Explanations available within default/props.conf. See https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/ConfigurationConfigure_props.conf
[source::WinEventLog:System]
    SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

[source::WinEventLog:Security]
    SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
    SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
    SEDCMD-cleansrcip = s/(Source Network Address:  (\:\:1|127\.0\.0\.1))/Source Network Address:/
    SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g

    #For XmlWinEventLog:Security
    SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
    SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/

[source::WinEventLog:ForwardedEvents]
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
    SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
    SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//

[WMI:WinEventLog:System]
    SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

[WMI:WinEventLog:Security]
    SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
    SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
    SEDCMD-cleansrcip = s/(Source Network Address:  (\:\:1|127\.0\.0\.1))/Source Network Address:/
    SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g

Finally, it's important to recognize that SEDCMD usage causes an indexer increase processing of the data. As a result, there will be a related uptick in resource usage and processing time for each event which, over a large enough volume of affected data, could produce a 'latency' or slight delay in time from receiving and writing events.
Fortunately, this is easily mitigated by a healthy scaling of indexers and an even distribution of events from the forwarders to indexers. Ultimately, these SEDCMDs produce a strong improvement in search performance. This performance improvement easily outweighs the additional indexer processing.

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...