We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer.
The props:
[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype
The transforms:
## Setting generic sourcetype and unique source
[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1
[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1
[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1