I have several servers sending WinEventLogs to my server. I have not control of the remote servers, so I would like to put them in their own indexes. All of this is in its own application, WinEvent.
Here I am trying to catch the incoming data and force it to be processed via props.conf by re-routing. It does not seem to work. Below that, I tried to use sourcetype to index the data. The host names are [not really] winsql, winmail, winexchage.
[splunktcp://win*:9997] route = has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue index = winevent disabled = o [WinEventLog:System] disabled = 0 index = winsys [WinEventLog:Security] disabled = 0 index = winsec [WinEventLog:Application] disabled = 0 index = winapp
here is my props.conf
[WinEventLog...] TRANSFORMS-WinApp = WinEvent_App TRANSFORMS-WinSec = WinEvent_Sec TRANSFORMS-WinSys = WinEvent_Sys
and finaly my transforms.conf
[WinEvent_App] SOURCE_KEY = MetaData:Source REGEX = (source::WinEventLog:Application) FORMAT = index::winapp DEST_KEY = _MetaData:Index [WinEvent_Sec] SOURCE_KEY = MetaData:Source REGEX = (source::WinEventLog:Security) FORMAT = index::winsec DEST_KEY = _MetaData:Index [WinEvent_Sys] SOURCE_KEY = MetaData:Source REGEX = WinEventLog:System FORMAT = index::winsys DEST_KEY = _MetaData:Index
I have been unable to move the incoming data from the default index=main to any of my new indexes.
I agree with jlunk that the problem might be your disabled line.
Since you do not control the remote systems, it is possible that a configuration is not exactly as you would like it to be.
If you choose to force/override the metadata settings you can do this. If the remote systems are Universal Forwarders, then you can install your props/transforms on the receiver of their data to override the index metadata. Is this where you have setup your props/transforms referenced above or did you put it on the Universal Forwarder doing the collection?
Note, for troubleshooting, if you are not doing encryption, you can do a packet-capture on port 9997 on your receiver to look at the data coming from these systems. You will be able to clearly see the metadata settings in the pcap and can see if they are being set by the sending host.