Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering Windows logs on Splunk Forwarder

ageld
Path Finder
‎04-05-2011 02:12 PM

If I make configuration changes mentioned by Maverick, in http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-ev..., how do I send other logs/events to the same indexer. For example, how would I send DHCP logs, WindowsUpdate logs, WMI stuff? Do I have to tweak props.conf, transforms.conf, output.conf for every log? Also, which application should I make the changes to props.conf, transforms.conf, and output.conf? I tried to do it under F:\Program Files\Splunk\etc\apps\SplunkForwarder\, but it did not make a difference. No events appeared on the idexer

Tags (1)
0 Karma
Reply

jgauthier
Contributor
‎04-05-2011 02:34 PM

On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc)

If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer.

If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field.

On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...