Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I index only critical events?

tmontney
Builder
‎01-28-2019 12:20 PM

I'm trying to use advanced whitefilter, but I'm coming up short. Basically, I want to index all Windows event logs that have a Type of Critical. I see EventType and Type, but both aren't what I'm looking for.

Perhaps I can do transforms?

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 02:00 PM

I assume you could use the severity_id or severity field?

alt text

If not, can you provide an example of your event data and how you'd like to filter them?

Preview file
63 KB
0 Karma
Reply

tmontney
Builder
‎01-28-2019 02:28 PM

If severity ID maps to Level, sure. I'm not seeing that referenced in the docs. Just take your event log and filter for Critical. That's all I'm looking for.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 02:49 PM

I don't have any in my test env.

0 Karma
Reply

tmontney
Builder
‎01-28-2019 02:57 PM

You can use any of them, like Error or Warning.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-30-2019 05:59 AM

Not exactly what you are looking for, I know, but you could try to blacklist unwanted events instead and see if that works for you:

blacklist = Type="(Information)"

Alternatively, you could run a network trace to see if the level field is collected by the Splunk UF and in what form and then whitelist only that. I'll try to set that up in my lab and see what I get.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 12:49 PM

Assuming you are using Universal Forwarders on your Windows servers, you could use the blacklist facility in inputs.conf.

For example the Splunk Add-on for Microsoft Windows comes with this blacklist by default for security log events:

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false

The reference documentation is here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_whitelist_and_blackli...

0 Karma
Reply

tmontney
Builder
‎01-28-2019 01:31 PM

Well, I see the field "Level" in the XML of most event logs. Splunk isn't pulling that field by default. If I could get this field working, I could do it this way but not sure how the rendering of XML comes into play.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎01-28-2019 01:33 PM

What's your current setup to pull Windows Log Events into Splunk at the moment?
What do the events look like?

0 Karma
Reply

tmontney
Builder
‎01-28-2019 01:46 PM

Using the standard universal forwarder.

[WinEventLog://Application]
disabled = 0
index = wineventlog
interval = 60
whitelist = 1000, 1001, 11707, 11724

Say for example I wanted to turn this into pulling only Critical level events. The Level field is numeric, always seems to be 1. I know it exists because I can see it in XML View in Event Log viewer, on a PC.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...