Getting Data In

How to index specific fields of a Windows event log event?

DaClyde
Contributor

I have a custom Windows Event log that was written to accomodate a specific web application running in IIS. Basically it is a web form used by a client program for automated uploading. As such, the event log only has a single event type. Every custom event log entry represents a successful file upload. There are something like 11 fields plus a timestamp. As such, 90% of the useful information in the event is in the Message field. So all I really want to index is the timestamp, ComputerName field and Message field. I don't need the other 9 fields in the Splunk index. Is there a method for only indexing specific parts of a Windows Event?

0 Karma
1 Solution

somesoni2
Revered Legend

You can use the technique mentioned here to replace the other portion of the events with blank during index time, so only the necessary information gets logged.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Anonymizedatausingconfigurationfiles#Anonymiz...

View solution in original post

DaClyde
Contributor

Ok, I found what I was doing wrong. If specifying a sourcetype instead of a source, all I need in the stanza head is just the sourcetype name [WinEventLog:JKReceive], not [sourcetype::WinEventLog:JKReceive]. Substitution is working now. Not sure if there is a way to actually remove an entire line or not.
-------UPDATE

Ok, if I just leave no space between the slashes, my substitution will "replace" the entry it finds with nothing, which removes the entire line. Perfect, now I can save a lot of indexing space. My SEDCMD looks like this:

[WinEventLog:JKReceive]
SEDCMD-LogName = s/LogName=JKReceive\r\n//
SEDCMD-SourceName = s/SourceName=JKReceive\r\n//

If I add the \r\n it also removes the carriage return/line feed, and doesn't leave all the blank space between lines in the index. And both lines disappear.

DaClyde
Contributor

I'm not having any luck so far getting the SEDCMD to do anything at all. Here is an example of what my event log entry looks like (Message is all one line):

08/28/2015 09:23:02 AM
LogName=JKReceive
SourceName=JKReceive
EventCode=0
EventType=4
Type=Information
ComputerName=servername.site.domain.ext
TaskCategory=%1
OpCode=Info
RecordNumber=3680885
Keywords=Classic
Message=File received from user: xxxx-aasf2 - file name: \\server\folder\data\site\UH1H_93-015.ITA size: 27971 date: 8/28/2015 1:59:42 PM

What I'm hoping to do is whittle it down to just this in the index:

08/28/2015 09:23:02 AM
Message=File received from user: xxxx-aasf2 - file name: \\server\folder\data\site\UH1H_93-015.ITA size: 27971 date: 8/28/2015 1:59:42 PM

Is that possible using a SED script doing substitutions?

So far, I've tried this in the props.conf in an attempt to replace the LogName line with just an x, but am getting no results whatsoever:

[sourcetype::WinEventLog:JKReceive]
SEDCMD-LogName = y/LogName=JKReceive/X/g

I've tried s instead of y with the same lack of results. I'm sure I'm just completely failing to understand the syntax, but I can't find any successful examples to use as a guide.

0 Karma

somesoni2
Revered Legend

You can use the technique mentioned here to replace the other portion of the events with blank during index time, so only the necessary information gets logged.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Anonymizedatausingconfigurationfiles#Anonymiz...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...