Windows EventLogs

mileven · ‎12-30-2013

Is it possible to send specific EventCodes to a different index other than the specified index. I want to send some application specific EventCodes to an application specific index that is not the default EventLog index.

For example.

EventCode 1-1000 goto index A
EventCode 10000-11000 go to index b

Is this possible?

Adrian · ‎01-04-2014

To answer your question... Yes, it is possible. This is the documentation you require: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes#Route\_specific\_eve...

You would have to modify your REGEX statement in your transforms.conf to grab the events you require:

   [<transforms_A>]
    REGEX = EventCode:([0-9]{1,3}|1000)
    DEST_KEY = _MetaData:Index
    FORMAT = indexA

    [<transforms_B>]
    REGEX = EventCode:1(0[0-9]{3}|1000)
    DEST_KEY = _MetaData:Index
    FORMAT = indexB

You might have to play around with the regex statements provided in example

aelliott · ‎12-30-2013

perhaps this post may assist you:
http://answers.splunk.com/answers/27781/distribute-data-from-one-source-to-different-indexes

aelliott · ‎12-30-2013

also see the part that says "Route specific events to a different index" here: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes

Windows EventLogs

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk