Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filtering Windows logs on Splunk Forwarder

ageld
Path Finder
‎04-05-2011 02:12 PM

If I make configuration changes mentioned by Maverick, in http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev..., how do I send other logs/events to the same indexer. For example, how would I send DHCP logs, WindowsUpdate logs, WMI stuff? Do I have to tweak props.conf, transforms.conf, output.conf for every log? Also, which application should I make the changes to props.conf, transforms.conf, and output.conf? I tried to do it under F:\Program Files\Splunk\etc\apps\SplunkForwarder\, but it did not make a difference. No events appeared on the idexer

Tags (1)
0 Karma
Reply

jgauthier
Contributor
‎04-05-2011 02:34 PM

On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc)

If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer.

If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field.

On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...