Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there way to configure the inputs to use the source to find, then set the sourcetype and index when changing sourcetype of Windows Forwarded Events?

adalbor
Builder
‎06-18-2019 07:57 AM

Hey all,

I am looking to change the sourcetype of events originating from the source = WinEventLog:Microsoft-Windows-Windows Defender/Operational logs that are coming in through the Forwarded Events log on one of our WEC's thats collected via UF.

I want to send them to their own index and have that unique sourcetype so I can use it with the TA-microsoft-windefender.

Is there way to configure the inputs to use the source to find then set the sourcetype and index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-18-2019 12:38 PM

Hi @adalbor,

From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf : [WinEventLog://<name>]

And simply add the index name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.

Let me know if this works out for you.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adalbor
Builder
‎06-26-2019 12:35 PM

This is what I have so far, trying to test if it will work.

props.conf
[source::WinEventLog:Microsoft-Windows-Windows Defender/Operational]
TRANSFORMS-windef = win_defender_sourcetype,win_defender_index

transforms.conf
[win_defender_sourcetype]
REGEX = *
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::windows:defender

[win_defender_index]
REGEX = *
DEST_KEY = _MetaData:Index
FORMAT = ms_def

Have it on HF's and IDX's

0 Karma
Reply
Solved! Jump to solution

adalbor
Builder
‎07-12-2019 10:43 AM

The above didn't work and I tried changing the wildcard to a period and still nothing.

Anyone have any recommendations to make this work?

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-18-2019 12:38 PM

Hi @adalbor,

From your windows TA on your UF and in the local folder, find the relevant monitor in inputs.conf : [WinEventLog://<name>]

And simply add the index name you wish to route to there. This works similarly to defining to which index a specific file monitor goes to.

Let me know if this works out for you.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

adalbor
Builder
‎06-18-2019 12:44 PM

Hey David,
I have the index specified for the monitoring stanza already.

I have Windows Security/System/WinDefender/Bitlocker events all going to the Forwarded Events on a WEC.

I was looking for a way to break out my WinDefender and Bitlocker events from that monitoring stanza by sourcetype and also put them in their own index.

The WEC that is collecting these events doesnt have WinDefender or Bitlocker installed so their respective log locations dont exist.

Thanks
Andrew

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-18-2019 06:30 PM

In that case since the data is already mixed up, the only way to split the results is to route it to a different index on the indexing layer, nothing to be done on the UF layer for Splitting it out :
https://answers.splunk.com/answers/50761/how-do-i-route-data-to-specific-index-based-on-a-field.html

Reply
Solved! Jump to solution

adalbor
Builder
‎06-19-2019 05:39 AM

Thank you!

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-19-2019 05:44 AM

Most welcome @adalbor, let me know if you need anything else and please accept the answer and upvote if it was helpful!

Reply
Solved! Jump to solution

bryceweb22
Path Finder
‎06-18-2019 08:09 AM

If your data has already been indexed there is not way to change the source type. You would need to delete it and reindex. Try this

https://answers.splunk.com/answers/1487/some-of-my-data-does-not-have-the-correct-sourcetype-can-i-c...

0 Karma
Reply
Solved! Jump to solution

adalbor
Builder
‎06-18-2019 08:23 AM

Thanks for the input..not trying to re-index data though

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-18-2019 08:06 AM

Hi adalbor,
see https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Advancedsourcetypeoverrides
Anyway, try something like this:

[your_original_sourcetype]
REGEX = <your_regex>
FORMAT = sourcetype::<your_custom_sourcetype_value>
DEST_KEY = MetaData:Sourcetype

but remember that using the original TA_Windows you already have all the fields correctly defined, instead if you override it, you have to redefine all of them.
Bye.
Giuseppe

Reply
Solved! Jump to solution

adalbor
Builder
‎06-18-2019 12:12 PM

Is there a way to also send it to a unique index?

0 Karma
Reply
Solved! Jump to solution

adalbor
Builder
‎06-18-2019 08:45 AM

Thank you! Will give this a shot.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top