All Apps and Add-ons

Why does the Splunk Add-on for Windows do a transform for each eventlog?

a212830
Champion

We upgraded our Splunk for Windows Add-on from version 4.3.8 to 5.0.1 and our memory doubled on our indexers. Not entirely sure the TA is the whole problem, but it does appear that as part of this upgrade, Splunk is doing a transform on each and every windows eventlog, and transforming the sourcetype, at the indexer layer. Why in the world would they do that? Seems like a really bad idea. Has anyone else run into this or confirmed it? If accurate, I'd like to understand why they don't just set it at the UFW layer.

The props:
[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

The transforms:

## Setting generic sourcetype and unique source
[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1
0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...