Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting sourcetype as XMLWinEventLogs?

KulvinderSingh
Path Finder
‎11-26-2021 03:03 AM

Hi All,

trying to get WinEventlogs from SF to Indexer via HF. The logs are getting indexed but seems likes they are not getting parsed through TA as i am getting sourcetype as XMLWinEventLog instead or Wineventlog. Any help is appreciated.

Splunk_TA_Windows is installed on SF,HF,Indexers.

regards,

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎12-31-2021 10:52 AM

Check the following btool command to identify the rendering of the windows events. 

$SPLUNK_HOME/bin/splunk btool inputs list <<input_name>> --debug | grep renderXML

If the value of the above parameter is set to true, then the events you receive will be in XML format, and hence the sourcetype. 

If you want the data to be not ingested in XML format, you can set the parameter to false and all new events will be in classic format with WinEventLog sourcetype

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎12-31-2021 10:52 AM

Check the following btool command to identify the rendering of the windows events. 

$SPLUNK_HOME/bin/splunk btool inputs list <<input_name>> --debug | grep renderXML

If the value of the above parameter is set to true, then the events you receive will be in XML format, and hence the sourcetype. 

If you want the data to be not ingested in XML format, you can set the parameter to false and all new events will be in classic format with WinEventLog sourcetype

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎01-02-2022 08:14 PM

Its fixed. it was an issue with inputs on forwarders.

0 Karma
Reply
Solved! Jump to solution

sb-e
New Member
‎01-23-2023 07:05 AM

Hello SinghK,

Could you please expand on your fix, i might be in the same senerio.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...