Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I configure Splunk to index Windows Event Log data in separate indexes?

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-30-2010 11:20 PM

I able to retrieve Windows event logs from remote machines using WMI, and I'm also indexing local Windows event logs. I like to organize the events coming from the local system and from remote systems based on Windows event log channels, eg: Application, System, ... How do I do that?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-30-2010 11:37 PM

Before you make any of the changes below, the indexes where you want these events to go to need to already exit. For example let's assume we have created the "WinEvtApp" index for Windows event log Application channel events, and "WinEvtSec" index for the Security channel events.

For local Windows event logs it’s easy, just edit the inputs.conf file:

\local\inputs.conf

[WinEventLog:Application]
index=WinEvtApp

[WinEventLog:Security]
index=WinEvtSec

...

For windows event logs coming from remote machines using WMI it's a little more complicated. The wmi.conf file is a configuration file specific to the wmi scripted input, and it has nothing to do with configuring splunk server. You’ll need to create a transform to filter out Windows event log WMI events based on the Logfile field value. This is an example for sending Security logs to to the WinEvtSec custom index. You'll need to create a separate transform for every log channel, Application, System, ... The FORMAT key holds the custom index name.

system\local\transforms.conf

[wmi-sec-evt-index]
REGEX = (?m)Logfile=Security
DEST_KEY =_MetaData:Index
FORMAT = WinEvtSec

Reference this transform in props.conf under the "wmi" stanza

system\local\props.conf

[wmi]
TRANSFORMS-FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-sourcetype, wmi-sec-evt-index

Noticed how the wmi-sec-evt-index is appended to the rest of the transforms for the wmi source. We have to make sure that the default transforms are preserved for the wmi events.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-30-2010 11:37 PM

Before you make any of the changes below, the indexes where you want these events to go to need to already exit. For example let's assume we have created the "WinEvtApp" index for Windows event log Application channel events, and "WinEvtSec" index for the Security channel events.

For local Windows event logs it’s easy, just edit the inputs.conf file:

\local\inputs.conf

[WinEventLog:Application]
index=WinEvtApp

[WinEventLog:Security]
index=WinEvtSec

...

For windows event logs coming from remote machines using WMI it's a little more complicated. The wmi.conf file is a configuration file specific to the wmi scripted input, and it has nothing to do with configuring splunk server. You’ll need to create a transform to filter out Windows event log WMI events based on the Logfile field value. This is an example for sending Security logs to to the WinEvtSec custom index. You'll need to create a separate transform for every log channel, Application, System, ... The FORMAT key holds the custom index name.

system\local\transforms.conf

[wmi-sec-evt-index]
REGEX = (?m)Logfile=Security
DEST_KEY =_MetaData:Index
FORMAT = WinEvtSec

Reference this transform in props.conf under the "wmi" stanza

system\local\props.conf

[wmi]
TRANSFORMS-FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-sourcetype, wmi-sec-evt-index

Noticed how the wmi-sec-evt-index is appended to the rest of the transforms for the wmi source. We have to make sure that the default transforms are preserved for the wmi events.

Reply
Solved! Jump to solution

CONSORP
Loves-to-Learn Lots
‎09-27-2019 05:54 PM

How do we write a REGEX if we need to give 2 different fieldnames and its values, and from above
"REGEX = (?m)Logfile=Security"
what is (?m) for and what does it do?
Correct me if i'm wrong other than ?(m) in REGEX.

transforms.conf
[wmi-host]
SOURCE_KEY=<fieldname1>,<fieldname2>
REGEX=?(m)<fieldname>=<fieldvalue>
DEST_KEY =_MetaData:Index
FORMAT = <new_indexname>

props.conf    
[sourcetype]
TRANSFORMS-FIELDS = wmi-host, wmi-source, wmi-sourcetype
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-31-2010 03:52 AM

Note that you don't have to append to the existing. In fact, it will be easier to just define a new transform from scratch, with TRANSFORMS-something = wmi-sec-evt-index, with -something set to anything other than -FIELDS.

Reply
Solved! Jump to solution

CONSORP
Loves-to-Learn Lots
‎09-27-2019 05:39 PM

How do we write a REGEX if we need to give 2 different fieldnames and its values, and from above "REGEX = (?m)Logfile=Security"
what is (?m) ?
Correct me if i'm wrong.
'Logfile' is fieldname and 'Security' is fieldvalue

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...