Getting Data In

Evenid monitoring--> Need to get all the event Id details to splunk used below stanza is and is not getting data?

AK_Splunk
Explorer

Evenid monitoring--> Need to get all  the event Id details to splunk used below stanza is and is not getting data n Please help 

[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist1 = 1,2,3,4
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Setup


[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist = *
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application


[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
whitelist1 = *
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

if you don't want to filter your events, don't use whitelist option, even if "whitelist=*".

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System

Ciao.

Giuseppe

View solution in original post

0 Karma

AK_Splunk
Explorer

@gcusello , Thanks for your prompt reply.
I have another question wrt to eventid monitoring.

I have two event id apps named below with only few configuration changes.

1) Eventid1--> inputs.conf stanza covers monitoring of all event ids and indexing data to index1
2) Eventid2-->input.conf  stanza covers monitoring of specific eventid i.e for example 1,2,3,4,5,6 to index2

Rest all configuration wrt to source and sourcetype remains same for both the apps. Once both the apps are pushed in one specific window server  According to my understanding both should work and give data specific to respective eventids. 

But when I am implementing this either one works and brings data. Please help me out on implementing the same.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

it's always better to create a new post for a new question to have a quicker and maybe a better answer from more people.

Anyway, two questions:

  1. are events in the two input stanzas different or the same?
  2. do you want to duplicate events or simply to  locate in different indexes?

if the same, by default Splunk doesn't index an event twice, if they are different, you have to analize the monitoring stanzas.

If you want to locate events in different indexes, you have to override index value in this way:

On Indexers or (if present) on Heavy Forwarders, insert these:

props.conf

[mysourcetype]
TRANSFORMS-index = overrideindex

transforms.conf

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = <regex_for_specific_ids>
FORMAT = index2

 Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

if you don't want to filter your events, don't use whitelist option, even if "whitelist=*".

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:System

Ciao.

Giuseppe

0 Karma

AK_Splunk
Explorer

@gcusello ,

Thanks for your reply. Yes I do not want to filter anything. I want all the event IDs  with Information, Waring and error to get indexed for Application,Setup and System.

I have removed the  whitelist=* from all the three stanzas waiting for events to get generated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

AK_Splunk
Explorer

Hi @gcusello 
I have pushed below inputs stanza in one server

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
index = sag_windows_normal
ignoreOlderThan = 7d
sourcetype = WinEventLog:Application

 

 

But I am getting data in below format . The data and the format both looks incorrect. Please assist me in resolving this issue

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='HHCTRL'/><EventID Qualifiers='0'>1903</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2022-12-08T07:59:58.000000000Z'/><EventRecordID>12345678</EventRecordID><Channel>Application</Channel><Computer>serverfqdnaname</Computer><Security/></System><EventData><Data>http://go.microsoft.com/fwlink?LinkID=45839</Data></EventData></Event>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AK_Splunk,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Inputsconf you have to use the option renderXml

renderXml = <boolean>
* Whether or not the input returns the event data in XML (eXtensible Markup
  Language) format or in plain text.
* Set this to "true" to render events in XML.
* Set this to "false" to output events in plain text.
* If you set this setting to "true", you should also set the 'suppress_text',
  'suppress_sourcename', 'suppress_keywords', 'suppress_task', and
  'suppress_opcode' settings to "true" to improve thruput performance.
* Default: false

to have your output in a format different than XML.

Ciao.

Giuseppe

 

AK_Splunk
Explorer

Thanks a lot!
It worked.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...