I want events to be put in either the main index or and index called "risks" based on Windows event ID.

I have created an index named "risks" but am not sure how to filter the events there.

I attempted to implement the commands you recommended, but searching index="risks" shows nothing.

Jamie

Hi @jamie1 ,

this means that you should configure index=main in the inputs.con event if I don't like to use the main index I always prefer to use anothe index than main.

then in the Indexers or (if present) in the first Heavy Forwarder the the logs pass through, you have to add:

on props.conf (if wineventlog is the sourcetype of this data source):

[wineventlog]
TRANSFORMS-index = overrideindex

on transforms.conf (if the EventCodes to send to the risk index are 4624 or 4625 or 4634):

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = EventCode\=4624|4625|4634
FORMAT = risk

 Obviously adapt the regex to your requirements and your logs, in other words, insert the EventCodes you need and check if there are spaces inside this string (between EventCode and = and between = and the values).

Put attention to the location of these files: you must analyze your Splunk architecture to locate them in the first full Splunk instance (not Universal Forwarder) that the Data Source pass through. 

Ciao.

Giuseppe

Hi Giuseppe,

I am using Splunk Cloud, would this make a difference to this process?

Jamie

Hi @jamie1 ,

if you are using Splunk Cloud, if the events of this Data Source are on premise, I suppose that your data pass throgh one or (better) two Heavy Forwarders as concentrators (to avoid to open all the Routes from your systems and Splunk Cloud.

In this case, you can put these conbffiles on these Heavy Forwarders.

If you directly send logs from your Universal Forwarders to Splunk Cloud (this that I don't hint!) the only solution is to create an add-on containing these two files and upload it to Splunk Cloud..

Ciao.

Giuseppe

I do indeed use Universal Forwarders, not heavy forwarders.

Hi @jamie1 ,

as I said, I always use one or (better) two Heavy Forwarders as Concentrators to avoid to open all connections between each UF and Splunk Cloud and I hint to consider this evolution to your architecture.

Anyway, for now in your case the only solution is to create an add-on, containing the two conf files, and upload it to Splunk Cloud.

Ciaoi.

Giuseppe

From what you're saying it seems like setting up the Heavy Forwarders seems to be the best long term solution. In your opinion, which sort of device would be most suited for being a Heavy Forwarder?

Thanks for your help so far,

Jamie

Hi @jamie1 ,

an Heavy Forwarder is a full instance Splunk Server con figured to forward all log to Splunk Cloud.

It should be a normal Splunk server (12 CPUs and 12 GB RAM) but if you haven't too many events, you can also use less resourcer (8+8).

You should install in the HF the add-on that you downloaded from Splunk Cloud.

Then you have to configure all your Universal Forwarder to send their logs to the HF.

In this way you don't need to open all routes between UFs and Splunk Cloud, in addition, you can use this HF for syslogs and if you haven't too many UFs (less than 50) also as Deployment Server.

The best approach is to have two HFs to avoid Single Points of Failure.

In this way you can make transformations before sending logs to Splunk Cloud.

Ciao.

Giuseppe

I did not provide any commands.  I offered an example transforms.conf setting that you would have to load on your indexer/Heavy Forwarder, restart, and then ingest new data.  I'm surprised you could do all of that in 3 minutes.

INGEST_EVAL = index=if(EventCode=7036,"risks", "main")

Hi Rich,

That reply was not to your message. I am yet to try your solution.

Thanks for the advice though.

Jamie