Getting Data In
Highlighted

Splunk Receiving

Contributor

I have several servers sending WinEventLogs to my server. I have not control of the remote servers, so I would like to put them in their own indexes. All of this is in its own application, WinEvent.

Here I am trying to catch the incoming data and force it to be processed via props.conf by re-routing. It does not seem to work. Below that, I tried to use sourcetype to index the data. The host names are [not really] winsql, winmail, winexchage.

[splunktcp://win*:9997]
route = has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue
index = winevent
disabled = o

[WinEventLog:System]
disabled = 0
index = winsys

[WinEventLog:Security]
disabled = 0
index = winsec

[WinEventLog:Application]
disabled = 0
index = winapp

here is my props.conf

[WinEventLog...]
TRANSFORMS-WinApp = WinEvent_App
TRANSFORMS-WinSec = WinEvent_Sec
TRANSFORMS-WinSys = WinEvent_Sys

and finaly my transforms.conf

[WinEvent_App]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Application)
FORMAT = index::winapp
DEST_KEY = _MetaData:Index

[WinEvent_Sec]
SOURCE_KEY = MetaData:Source
REGEX = (source::WinEventLog:Security)
FORMAT = index::winsec
DEST_KEY = _MetaData:Index

[WinEvent_Sys]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog:System
FORMAT = index::winsys
DEST_KEY = _MetaData:Index

I have been unable to move the incoming data from the default index=main to any of my new indexes.

any suggestions?

Tags (2)
Highlighted

Re: Splunk Receiving

Engager

Could it be that there is a typo in the inputs?

disabled = o

That's a lower-case letter 'O'

View solution in original post

Highlighted

Re: Splunk Receiving

Contributor

fk319,

I agree with jlunk that the problem might be your disabled line.

Since you do not control the remote systems, it is possible that a configuration is not exactly as you would like it to be.
If you choose to force/override the metadata settings you can do this. If the remote systems are Universal Forwarders, then you can install your props/transforms on the receiver of their data to override the index metadata. Is this where you have setup your props/transforms referenced above or did you put it on the Universal Forwarder doing the collection?

Note, for troubleshooting, if you are not doing encryption, you can do a packet-capture on port 9997 on your receiver to look at the data coming from these systems. You will be able to clearly see the metadata settings in the pcap and can see if they are being set by the sending host.

Sean

0 Karma