Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter Windows Event Data to different Targets?

rbal_splunk
Splunk Employee
Splunk Employee
‎02-20-2016 09:57 PM

Question : I would like to ingest windows event data using Splunk Heavy Forwarder and need to filter Windows event logs to Splunk indexer. Basically I want to index Winevent (Application , System and Setup) on indexer 136 , All the other winevent Security log to indexer 133 and only winevent Security for EventCode 4634 and 4672 to Indexer144

What are the options to meet this need?

0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎02-20-2016 09:59 PM

My test is based on Splunk Version 6.3.3.

Here are the setting that worked for me.

1)On Heavy Forwarder – set inputs.conf as

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
_TCP_ROUTING = LI_133
disabled = 0
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

2) Also Heavy Forwarder has props.conf and transforms.conf as

----Props.conf---------
[WinEventLog:Security]
TRANSFORMS-null= InCludeEvents

----transforms.conf-------
[InCludeEvents]
REGEX = EventCode=(4634|4672)
DEST_KEY = _TCP_ROUTING
FORMAT = LI_144

3) Also Heavy Forwarder-outputs.conf has

[tcpout]
indexAndForward = 1
autoLB = true
compressed = false
defaultGroup = LI_136

[tcpout:LI_136]
server = server_136:9997

[tcpout: LI_144]
server = server_136:9997

[tcpout:LI_133]
server = server_133:9997

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...