Re: Windows EventLogs

mileven · ‎12-30-2013

Is it possible to send specific EventCodes to a different index other than the specified index. I want to send some application specific EventCodes to an application specific index that is not the default EventLog index.

For example.

EventCode 1-1000 goto index A
EventCode 10000-11000 go to index b

Is this possible?

Adrian · ‎01-04-2014

To answer your question... Yes, it is possible. This is the documentation you require: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes#Route\_specific\_eve...

You would have to modify your REGEX statement in your transforms.conf to grab the events you require:

   [<transforms_A>]
    REGEX = EventCode:([0-9]{1,3}|1000)
    DEST_KEY = _MetaData:Index
    FORMAT = indexA

    [<transforms_B>]
    REGEX = EventCode:1(0[0-9]{3}|1000)
    DEST_KEY = _MetaData:Index
    FORMAT = indexB

You might have to play around with the regex statements provided in example

aelliott · ‎12-30-2013

perhaps this post may assist you:
http://answers.splunk.com/answers/27781/distribute-data-from-one-source-to-different-indexes

aelliott · ‎12-30-2013

also see the part that says "Route specific events to a different index" here: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes

Windows EventLogs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation