Getting Data In

Does EVENT_BREAKER configuration need to be added on a Splunk UF collecting logs via WinEventLog://ForwardedEvents inputs ?

Path Finder

Hello Splunkers,

Will EVENT_BREAKER configuration be a good idea to reduce indexer stickiness for a Splunk UF collecting windows logs via windows event forwarding or will it be handled natively by splunk as WinEventLog://ForwardedEvents is a splunk managed mechanism much like the WinEventLog://Security ?

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
index = mywindowsindex

0 Karma

Builder

Yes, it is good idea to reduce indexer stickiness and get a better spread for the data across the indexers
These are the key/pair to include for all source types as best practice:

- SHOULD_LINEMERGE = < boolean >
- LINE_BREAKER = < regex >
- TRUNCATE = 99999 
- TIME_PREFIX =  < regex > 
- TIME_FORMAT = < strp-style format >
- MAX_TIMESTAMP_LOOKAHEAD = < integer >
- EVENT_BREAKER_ENABLE = < boolean >
- EVENT_BREAK = < regex >
0 Karma