Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering Windows logs on Splunk Forwarder

ageld
Path Finder
‎04-05-2011 02:12 PM

If I make configuration changes mentioned by Maverick, in http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev..., how do I send other logs/events to the same indexer. For example, how would I send DHCP logs, WindowsUpdate logs, WMI stuff? Do I have to tweak props.conf, transforms.conf, output.conf for every log? Also, which application should I make the changes to props.conf, transforms.conf, and output.conf? I tried to do it under F:\Program Files\Splunk\etc\apps\SplunkForwarder\, but it did not make a difference. No events appeared on the idexer

Tags (1)
0 Karma
Reply

jgauthier
Contributor
‎04-05-2011 02:34 PM

On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc)

If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer.

If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field.

On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...