Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change sourcetype for data coming from UF

lukasmecir
Path Finder
‎12-18-2020 09:17 AM

Hello Splunkers,

I need help with change sourcetype in logs.

There is UF installed on Win server. I would like to collect Windows log, so Splunk add-on for Windows is installed on UF. There is no config change in add-on itself, only I made separate app for collectin Application log wit simple input.conf file:

# Windows platform specific input processor.
[WinEventLog://Application]
index = windows_app
disabled = 0
renderXml=false

Log is going from UF to HF. On HF I would like to change sourcetype for part of Win log, namely for Citrix FAS log. So I made app on HF with this content:

props.conf
[WinEventLog]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype

transforms.conf
[citrix_fas_sourcetype]
REGEX = SourceName=Citrix\.Authentication\.FederatedAuthenticationService
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::citrix_fas

Splunk add-on for Windows is installed on HF as well.

Problem is log is indexed with sourcetype=WinEventLog, so my app on HF is manifestly ineffective. Of course, my app has Global permissions and is enabled. And REGEX in transforms.conf should be OK. Could you someone help me point out what is wrong? AFAIK it should be working...

Thank in advance for help.

Regards

Lukas 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-19-2020 02:45 AM

@lukasmecir, on props.conf you can try with source stanza which has higher precedence. 

props.conf
[source::WinEventLog:Application]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

lukasmecir
Path Finder
‎12-22-2020 07:07 AM

Hi all,

finally I used solution proposed by @scelikok - and it works! Problem solved. I would like to thank you all for your effort and Marry Christmas and Happy New Year to all!

0 Karma
Reply
Solved! Jump to solution

saravanan90
Contributor
‎12-19-2020 08:56 AM

It seems the actual sourcetype is not WinEventLog.  The original sourcetype is "WinEventLog:Application".

It is being renamed as wineventlog during the search time. Please find below the props.conf for renaming from the TA.

[WinEventLog:Application]
rename = wineventlog

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-19-2020 02:45 AM

@lukasmecir, on props.conf you can try with source stanza which has higher precedence. 

props.conf
[source::WinEventLog:Application]
TRANSFORMS-win_citrix_fas_sourcetype = citrix_fas_sourcetype

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-18-2020 09:30 AM

Hi @lukasmecir,

the only not correcy thing I see is that in the regex you didn't escaped = but it should be not relevant.

Couls you share a sample of your logs?

Also configurations on HF should seem OK.

A final stupid question: are you sure that those logs pass through the HF?

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

lukasmecir
Path Finder
‎12-21-2020 01:07 AM

Hi Giuseppe,

here is log sample:

12/17/2020 03:25:13 PM
LogName=Application
SourceName=Citrix.Authentication.FederatedAuthenticationService
EventCode=105
EventType=4
Type=Information
ComputerName=TV1EPVFD2001.acme.com
TaskCategory=None
OpCode=Info
RecordNumber=5200505
Keywords=Classic
Message=[S105] Server [CSINT\TV1EPVSF1003$] issued identity assertion [upn: tt-60807@ext.com, role Default, Security Context: []]. [correlation: 15ed3202-3d19-4bc2-8060-371dcbaf2dca]

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2020 03:30 AM

Hi @lukasmecir,

viewing the sample you sent the regex seems to be correct (escaping "="):

REGEX = SourceName\=Citrix\.Authentication\.FederatedAuthenticationService

As hinted by @scelikok, it could be a good idea to use Source instead Sourcetype as stanzas header:

[source::WinEventLog:Application]

this is caused by the different classification of Windows events.

Did you checked if all the logs pass through the HF?

If not, put the same props.conf and transforms.conf stanzas also on Indexers.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...