- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you use a CLONE_SOURCETYPE to parse a s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I am trying to set up WindowsEventLog to send all events with EventCode=4648 to one index, wineventlog_4648, and the remainder to a second index, wineventlog.
My progress so far has leaned heavily on this answer: https://answers.splunk.com/answers/565511/can-i-use-clone-sourcetype-to-send-events-to-multi.html.
However, I have been unable to get it to work. Am I fundamentally misunderstanding how some of these fields operate? To start, I am fine with duplicate entries but have not been able to populate wineventlog_4648 with any events.
Any guidance would be greatly appreciated.
inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
props.conf
[WinEventLog://Security]
TRANSFORMS-WinEventLog_4648
transforms.conf
[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
SOURCE_KEY = field:EventCode
REGEX = /4648/
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @woodcock
Thanks for the help. You were right about the name in props.conf.
I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE
props.conf
[WinEventLog:Security]
TRANSFORMS-routing = routeSubset
transform.conf
[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Thanks for helping me think of different ways to approach it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @woodcock
Thanks for the help. You were right about the name in props.conf.
I'm glad to say I figure it out, but I ended up doing it a different way without CLONE_SOURCETYPE
props.conf
[WinEventLog:Security]
TRANSFORMS-routing = routeSubset
transform.conf
[routeSubset]
REGEX = EventCode=4648
FORMAT = wineventlog_4648
DEST_KEY = _MetaData:Index
Thanks for helping me think of different ways to approach it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted your comment to an answer. You should click Accept on it to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My other answer is true but you have other problems. This:
SOURCE_KEY = field:EventCode
Should be this:
SOURCE_KEY = EventCode
But even that won't work because the CLONE_SOURCETYPE feature is an index-time function and the EventCode field is not an index-time field so it doesn't yet exist to be used as SOURCE_KEY. Try this instead for transforms.conf:
[WinEventLog_4648]
CLONE_SOURCETYPE = WinEventLog_Security_4648
REGEX = EventCode=4648
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem is in props.conf. This part is wrong:
[WinEventLog://Security]
It must match your sourcetype value exactly, so it should probably be this (but check your events to be sure):
[WinEventLog:Security]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this did not solve it. Thank you though.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
