Getting Data In

How do you use a CLONE_SOURCETYPE to parse a sourcetype?

gbeatty
Path Finder

Hi all,

I am trying to set up WindowsEventLog to send all events with EventCode=4648 to one index, wineventlog_4648, and the remainder to a second index, wineventlog.

My progress so far has leaned heavily on this answer: https://answers.splunk.com/answers/565511/can-i-use-clone-sourcetype-to-send-events-to-multi.html.

However, I have been unable to get it to work. Am I fundamentally misunderstanding how some of these fields operate? To start, I am fine with duplicate entries but have not been able to populate wineventlog_4648 with any events.

Any guidance would be greatly appreciated.


inputs.conf

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

props.conf

[WinEventLog://Security]
TRANSFORMS-WinEventLog_4648

transforms.conf

[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
SOURCE_KEY = field:EventCode
REGEX = /4648/
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
0 Karma
1 Solution

gbeatty
Path Finder

Hey @woodcock

Thanks for the help. You were right about the name in props.conf.

I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE

props.conf

[WinEventLog:Security]
TRANSFORMS-routing = routeSubset 

transform.conf

[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index

Thanks for helping me think of different ways to approach it.

View solution in original post

0 Karma

gbeatty
Path Finder

Hey @woodcock

Thanks for the help. You were right about the name in props.conf.

I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE

props.conf

[WinEventLog:Security]
TRANSFORMS-routing = routeSubset 

transform.conf

[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index

Thanks for helping me think of different ways to approach it.

0 Karma

woodcock
Esteemed Legend

I converted your comment to an answer. You should click Accept on it to close the question.

woodcock
Esteemed Legend

My other answer is true but you have other problems. This:

SOURCE_KEY = field:EventCode

Should be this:

SOURCE_KEY = EventCode

But even that won't work because the CLONE_SOURCETYPE feature is an index-time function and the EventCode field is not an index-time field so it doesn't yet exist to be used as SOURCE_KEY. Try this instead for transforms.conf:

[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
REGEX = EventCode=4648

woodcock
Esteemed Legend

Your problem is in props.conf. This part is wrong:

[WinEventLog://Security]

It must match your sourcetype value exactly, so it should probably be this (but check your events to be sure):

[WinEventLog:Security]

gbeatty
Path Finder

Unfortunately this did not solve it. Thank you though.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...