Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to handle Windows 2008 event log descriptive text with a universal forwarder

gpullis
Communicator
‎05-09-2011 11:08 AM

The crazily verbose descriptive text that's appended to the end of many Windows Server 2008 events has been covered in Splunk Answer Disabling or removing extra description text in Windows 2008 event logs?, with an excellent answer by jervin involving using SEDCMD in props.conf to trim the description off.

The problem is, per Configuration parameters and the data pipeline, a universal forwarder can't do a SEDCMD. It seems to me like you couldn't use a universal forwarder on a Windows 2008 server without absolutely murdering your Splunk license with all that descriptive text.

Can anyone think of a way around this problem?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-09-2011 11:53 AM

You could implement the configuration where the data is being parsed, most likely the indexer, and it would also alter the data in the same way.

View solution in original post

Reply
Solved! Jump to solution

reedmohn
Communicator
‎06-12-2014 05:37 AM

What is the resource cost of doing this on the indexers? After all, in a Windows heavy environment, some of the events with these descriptions probably make up the bulk of logged security events.

Is there a way of doing it on an intermediary step? Ie. putting an intermediary forwarder between the Windows forwarders and the indexers?

0 Karma
Reply
Solved! Jump to solution

rnagheereddy
Explorer
‎01-06-2012 07:46 AM

Make the forwarder a "Heavy Forwarder" and do the work before the data is sent to the Indexer. The tradeoff is that your forwarder will have higher CPU utilization.

I love the descriptive text when I'm scrolling through an actual event log, but I don't need to index or store ten gazillion copies of MSFT boilerplate in my Splunk db.

I'm literally in the middle of doing this so thanks for your link to the SEDCMD article!

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-09-2011 11:53 AM

You could implement the configuration where the data is being parsed, most likely the indexer, and it would also alter the data in the same way.

Reply
Solved! Jump to solution

ephemeric
Contributor
‎07-23-2012 08:04 AM

You can also do "sendCookedData = false" on the SUF and then work on the events on the indexer or heavy forwarder.

0 Karma
Reply
Solved! Jump to solution

gpullis
Communicator
‎05-09-2011 12:00 PM

Thanks! Also, according to
http://splunk-base.splunk.com/answers/7171/sed-cmd-and-indexing-volume-count/7172

Since parsing happens before indexing, what SEDCMD chops off -- even on the indexer -- is not counted towards the license.

Reply
Solved! Jump to solution

gpullis
Communicator
‎05-09-2011 11:55 AM

Correct, but then doesn't the unparsed data as it comes into the indexer count against my license?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...