Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I index only critical events?

tmontney
Builder
‎01-28-2019 12:20 PM

I'm trying to use advanced whitefilter, but I'm coming up short. Basically, I want to index all Windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for.

Perhaps I can do transforms?

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 02:00 PM

I assume you could use the severity_id or severity field?

alt text

If not, can you provide an example of your event data and how you'd like to filter them?

Preview file
1 KB
0 Karma
Reply

tmontney
Builder
‎01-28-2019 02:28 PM

If severity ID maps to Level, sure. I'm not seeing that referenced in the docs. Just take your event log and filter for Critical. That's all I'm looking for.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 02:49 PM

I don't have any in my test env.

0 Karma
Reply

tmontney
Builder
‎01-28-2019 02:57 PM

You can use any of them, like Error or Warning.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-30-2019 05:59 AM

Not exactly what you are looking for, I know, but you could try to blacklist unwanted events instead and see if that works for you:

blacklist = Type="(Information)"

Alternatively, you could run a network trace to see if the level field is collected by the Splunk UF and in what form and then whitelist only that. I'll try to set that up in my lab and see what I get.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 12:49 PM

Assuming you are using Universal Forwarders on your Windows servers, you could use the blacklist facility in inputs.conf.

For example the Splunk Add-on for Microsoft Windows comes with this blacklist by default for security log events:

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false

The reference documentation is here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_whitelist_and_blackli...

0 Karma
Reply

tmontney
Builder
‎01-28-2019 01:31 PM

Well, I see the field "Level" in the XML of most event logs. Splunk isn't pulling that field by default. If I could get this field working, I could do it this way but not sure how the rendering of XML comes into play.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 01:33 PM

What's your current setup to pull Windows Log Events into Splunk at the moment?
What do the events look like?

0 Karma
Reply

tmontney
Builder
‎01-28-2019 01:46 PM

Using the standard universal forwarder.

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724

Say for example I wanted to turn this into pulling only Critical level events. The Level field is numeric, always seems to be 1. I know it exists because I can see it in XML View in Event Log viewer, on a PC.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...