Getting Data In

Does EVENT_BREAKER configuration need to be added on a Splunk UF collecting logs via WinEventLog://ForwardedEvents inputs ?

murikadan
Path Finder

Hello Splunkers,

Will EVENT_BREAKER configuration be a good idea to reduce indexer stickiness for a Splunk UF collecting windows logs via windows event forwarding or will it be handled natively by splunk as WinEventLog://ForwardedEvents is a splunk managed mechanism much like the WinEventLog://Security ?

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
index = my_windows_index

0 Karma

anmolpatel
Builder

Yes, it is good idea to reduce indexer stickiness and get a better spread for the data across the indexers
These are the key/pair to include for all source types as best practice:

- SHOULD_LINEMERGE = < boolean >
- LINE_BREAKER = < regex >
- TRUNCATE = 99999 
- TIME_PREFIX =  < regex > 
- TIME_FORMAT = < strp-style format >
- MAX_TIMESTAMP_LOOKAHEAD = < integer >
- EVENT_BREAKER_ENABLE = < boolean >
- EVENT_BREAK = < regex >
0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...