Add field to windows event

Policello · ‎01-13-2021

Hello,

Is it possible to add fields to the windows event collected by a forwarder ?

I would like to add an environment variable before it is indexed.

Something like :

[WinEventLog://Application]
disabled = 0
index=tiktak
whitelist=SourceName="Tiktak*"
addField=Cluster=$OM_CLUSTER_ID$

Thanks in advance

gcusello · ‎01-13-2021

Hi @Policello,

do you want to add this environment variable to other events or check this variable?

in the first case I don't know how to do,.

In the second one, you could create a script that reads the environment variables and run it in a scripted input.

In other words, you have to :

create a script (called e.g. env.bat) containing the "set" command and put it in the "bin" folder of an app;
create a scripted input in inpus.conf of the same app, like this:

[script://../bin/end.bat]
interval=3600
disabled = 0
index=tiktak
sourcetype=env

deploy the app to the Forwarder.

Ciao.

Giuseppe

Policello · ‎01-13-2021

Ciao @gcusello,

Thank you for your answer.

However I think I want to do the first case because I would like the value of the environment variable to be added to all indexed events :

LogName=Application
SourceName=TikTakTok
EventCode=0
EventType=4
Type=Information
ComputerName=Server0001
TaskCategory=None
OpCode=Info
RecordNumber=44767
Keywords=Classic
Message=Service started successfully.
AddedField=$env:Variable

gcusello · ‎01-14-2021

hi @Policello,

for my knowledge, I don't think that's possible, maybe someone else has a different solution!

Verify if the other choice is compatible with your needs.

Ciao and happy splunking.

Giuseppe

Add field to windows event

inputs.conf

other

universal forwarder

Windows

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!