All Apps and Add-ons

Why does the Splunk Add-on for Windows do a transform for each eventlog?

a212830
Champion

We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer.

The props:
[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

The transforms:

## Setting generic sourcetype and unique source
[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...