Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to route window system logs to a different index

usup_rajbahak
Path Finder
‎02-20-2013 01:07 PM

Hey there,

I have a windows forwarder sending the servers's application, system and security logs to the indexers. I need to route only the security logs to a different index. I've tried a few different things but none seem to be working. This is my latest config

props.conf
[WinEventLog]
TRANSFORMS-FIELDS = WinEventLog

transforms.conf
[WinEventLog]
SOURCE_KEY=sourcetype
REGEX=source=WinEventLog:Security
DEST_KEY=_Metadata:Index
FORMAT=Security

What am I doing wrong here? Thanks a lot

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 04:27 AM

Why don't you set the proper index on input in the first place?

0 Karma
Reply

jonasmeier
Explorer
‎04-08-2022 05:18 AM

Any case where a deployed inputs.conf can not be accessed or changed. my szenario was attaching new indexers to an existing infrastructure as preparation for a migration.  But index names also changed so for a specific period we had to write events to two different indexes on different indexers. Kind of special case though.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 05:22 AM

Baaah, I didn't notice it was a "golden shovel" post 😉

Of course, in some special cases one can use the index-time manipulation of metadata fields but in general if you can set the metadata right from the start, you should use that functionality. It's good to keep things simple and consistent. Forgotten custom solutions tend to bite you in the rear end in the least appropriate moment 🙂

0 Karma
Reply

usup_rajbahak
Path Finder
‎02-20-2013 01:40 PM

hey Ayn,

thanks for yoour reply. The logs are still going to the main index.

Here's my latest transforms.conf config

[WinEventLog]
SOURCE_KEY=MetaData:Sourcetype
REGEX=WinEventLog:Security
DEST_KEY=_MetaData:Index
FORMAT=Security

And I restarted splunkd after making the changes.

0 Karma
Reply

jonasmeier
Explorer
‎04-08-2022 03:49 AM

Years later 🙂

According to https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#KEYS: the correct solution was:

[WinEventLog]
SOURCE_KEY=MetaData:Sourcetype
REGEX=sourcetype::WinEventLog:Security
DEST_KEY=_MetaData:IndexFORMAT=Security

 

Probs:

- Syntax for indexes fields (:: instead of 😃 has to be used in  REGEX

-There was a mix between sourcetype (in SOURCE_KEY) and source (in REGEX)

-case sensitivity of indexes is delicate, so I would always only use lowercase (FORMAT)

 

As of Splunk Add-on for Windows >=5.0.0  sourcetype contains only "WinEventLog" (or XmlWinEventLog) for all EventLogs, so the correct solution to specifically route WinEventLog:Security is:

[WinEventLogSecurityRouting]
SOURCE_KEY=MetaData:Source
REGEX=source::WinEventLog:Security
DEST_KEY=_MetaData:Index
FORMAT=security

 

 

0 Karma
Reply

Ayn
Legend
‎02-20-2013 01:24 PM

I see a couple of issues with how you've set things up.

  • SOURCE_KEY shouldn't be just "sourcetype", it should be "MetaData:Sourcetype".
  • DEST_KEY should start with "_MetaData", not "_Metadata" (note the capital D).
  • The "MetaData:Sourcetype" value will be simply the string specifying the sourcetype, so "source=WinEventLog:Security" will not match. Perhaps you want to match on just "WinEventLog:Security"?
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...