Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Receiving
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have several servers sending WinEventLogs to my server. I have not control of the remote servers, so I would like to put them in their own indexes. All of this is in its own application, WinEvent.
Here I am trying to catch the incoming data and force it to be processed via props.conf by re-routing. It does not seem to work. Below that, I tried to use sourcetype to index the data. The host names are [not really] winsql, winmail, winexchage.
[splunktcp://win*:9997]
route = has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue
index = winevent
disabled = o
[WinEventLog:System]
disabled = 0
index = winsys
[WinEventLog:Security]
disabled = 0
index = winsec
[WinEventLog:Application]
disabled = 0
index = winapp
here is my props.conf
[WinEventLog...]
TRANSFORMS-WinApp = WinEvent_App
TRANSFORMS-WinSec = WinEvent_Sec
TRANSFORMS-WinSys = WinEvent_Sys
and finaly my transforms.conf
[WinEvent_App]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Application)
FORMAT = index::winapp
DEST_KEY = _MetaData:Index
[WinEvent_Sec]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Security)
FORMAT = index::winsec
DEST_KEY = _MetaData:Index
[WinEvent_Sys]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog:System
FORMAT = index::winsys
DEST_KEY = _MetaData:Index
I have been unable to move the incoming data from the default index=main to any of my new indexes.
any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be that there is a typo in the inputs?
disabled = o
That's a lower-case letter 'O'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fk319,
I agree with jlunk that the problem might be your disabled line.
Since you do not control the remote systems, it is possible that a configuration is not exactly as you would like it to be.
If you choose to force/override the metadata settings you can do this. If the remote systems are Universal Forwarders, then you can install your props/transforms on the receiver of their data to override the index metadata. Is this where you have setup your props/transforms referenced above or did you put it on the Universal Forwarder doing the collection?
Note, for troubleshooting, if you are not doing encryption, you can do a packet-capture on port 9997 on your receiver to look at the data coming from these systems. You will be able to clearly see the metadata settings in the pcap and can see if they are being set by the sending host.
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be that there is a typo in the inputs?
disabled = o
That's a lower-case letter 'O'
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
