Why does the Splunk Add-on for Windows do a transf...

a212830 · ‎01-23-2020

We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer.

The props:
[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

The transforms:

## Setting generic sourcetype and unique source
[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1

Why does the Splunk Add-on for Windows do a transform for each eventlog?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Why does the Splunk Add-on for Windows do a transform for each eventlog?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases