All Apps and Add-ons

Why does the Splunk Add-on for Windows do a transform for each eventlog?


We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer.

The props:
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

The transforms:

## Setting generic sourcetype and unique source
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!