Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transforming Frowarded WinEvents

jwarfel
New Member
‎12-10-2013 10:57 AM

Scenario:
Multiple WinHosts forwarding logs to separate Linux indexers using Splunk Forwarders.

Objective:
The ability to transform WinEvents using transforms.conf and props.conf

Situation:
Transforming data from local sources, such as syslog works without error. Transforming the forwarded events is not working. I am wondering if I need to specify the forwarded data in inputs.conf?

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 01:00 PM

Here is a good example of filtering security events (in case you want to keep some of them).
Just remember the order is important - send to nullQueue first:

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 02:57 PM

Filtering windows events is a very common practice. It does work - I do it myself.
But, there are a number of things that can go wrong.
What exactly is the sourcetype? Where are you placing the configs, which files, and what are the configs?
Why do you think there is something wrong with the forwarded data - windows security logs are standard, but they can come from at least two different sources.
Did you restart Splunk on the indexer after you made the changes?
Lastly, you do know that these changes will not affect logs already indexed right?

Reply

jwarfel
New Member
‎12-10-2013 02:20 PM

This is not working either.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-10-2013 12:41 PM

Well, if you want to be rid of all WinEventLog:Security, it's probably better to not monitor them in the first place. Other than that, it could be done like;

props.conf

[WinEventLog:Security]
TRANSFORMS-blah = discard

transforms.conf

[discard]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

This is not working for you?

/K

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 01:02 PM

No, that is not working for me. I think it has something to do with the events being forwarded.

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 12:06 PM

Version = 5.0.2

0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 12:03 PM

What version of splunk are you using?

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 11:47 AM

Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-10-2013 11:27 AM

What parts of the events do you want transform, and why?

In any case, you do know that the props/transforms settings should be configured on the indexer, right?

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/k

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...