Getting Data In

How to index specific fields of a Windows event log event?

Contributor

I have a custom Windows Event log that was written to accomodate a specific web application running in IIS. Basically it is a web form used by a client program for automated uploading. As such, the event log only has a single event type. Every custom event log entry represents a successful file upload. There are something like 11 fields plus a timestamp. As such, 90% of the useful information in the event is in the Message field. So all I really want to index is the timestamp, ComputerName field and Message field. I don't need the other 9 fields in the Splunk index. Is there a method for only indexing specific parts of a Windows Event?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can use the technique mentioned here to replace the other portion of the events with blank during index time, so only the necessary information gets logged.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Anonymizedatausingconfigurationfiles#Anonymiz...

View solution in original post

Contributor

Ok, I found what I was doing wrong. If specifying a sourcetype instead of a source, all I need in the stanza head is just the sourcetype name [WinEventLog:JKReceive], not [sourcetype::WinEventLog:JKReceive]. Substitution is working now. Not sure if there is a way to actually remove an entire line or not.
-------UPDATE

Ok, if I just leave no space between the slashes, my substitution will "replace" the entry it finds with nothing, which removes the entire line. Perfect, now I can save a lot of indexing space. My SEDCMD looks like this:

[WinEventLog:JKReceive]
SEDCMD-LogName = s/LogName=JKReceive\r\n//
SEDCMD-SourceName = s/SourceName=JKReceive\r\n//

If I add the \r\n it also removes the carriage return/line feed, and doesn't leave all the blank space between lines in the index. And both lines disappear.

Contributor

I'm not having any luck so far getting the SEDCMD to do anything at all. Here is an example of what my event log entry looks like (Message is all one line):

08/28/2015 09:23:02 AM
LogName=JKReceive
SourceName=JKReceive
EventCode=0
EventType=4
Type=Information
ComputerName=servername.site.domain.ext
TaskCategory=%1
OpCode=Info
RecordNumber=3680885
Keywords=Classic
Message=File received from user: xxxx-aasf2 - file name: \\server\folder\data\site\UH1H_93-015.ITA size: 27971 date: 8/28/2015 1:59:42 PM

What I'm hoping to do is whittle it down to just this in the index:

08/28/2015 09:23:02 AM
Message=File received from user: xxxx-aasf2 - file name: \\server\folder\data\site\UH1H_93-015.ITA size: 27971 date: 8/28/2015 1:59:42 PM

Is that possible using a SED script doing substitutions?

So far, I've tried this in the props.conf in an attempt to replace the LogName line with just an x, but am getting no results whatsoever:

[sourcetype::WinEventLog:JKReceive]
SEDCMD-LogName = y/LogName=JKReceive/X/g

I've tried s instead of y with the same lack of results. I'm sure I'm just completely failing to understand the syntax, but I can't find any successful examples to use as a guide.

0 Karma

SplunkTrust
SplunkTrust

You can use the technique mentioned here to replace the other portion of the events with blank during index time, so only the necessary information gets logged.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Anonymizedatausingconfigurationfiles#Anonymiz...

View solution in original post