Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transforming Frowarded WinEvents

jwarfel
New Member
‎12-10-2013 10:57 AM

Scenario:
Multiple WinHosts forwarding logs to separate Linux indexers using Splunk Forwarders.

Objective:
The ability to transform WinEvents using transforms.conf and props.conf

Situation:
Transforming data from local sources, such as syslog works without error. Transforming the forwarded events is not working. I am wondering if I need to specify the forwarded data in inputs.conf?

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 01:00 PM

Here is a good example of filtering security events (in case you want to keep some of them).
Just remember the order is important - send to nullQueue first:

http://answers.splunk.com/answers/29218/filtering-windows-event-logs

0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 02:57 PM

Filtering windows events is a very common practice. It does work - I do it myself.
But, there are a number of things that can go wrong.
What exactly is the sourcetype? Where are you placing the configs, which files, and what are the configs?
Why do you think there is something wrong with the forwarded data - windows security logs are standard, but they can come from at least two different sources.
Did you restart Splunk on the indexer after you made the changes?
Lastly, you do know that these changes will not affect logs already indexed right?

Reply

jwarfel
New Member
‎12-10-2013 02:20 PM

This is not working either.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-10-2013 12:41 PM

Well, if you want to be rid of all WinEventLog:Security, it's probably better to not monitor them in the first place. Other than that, it could be done like;

props.conf

[WinEventLog:Security]
TRANSFORMS-blah = discard

transforms.conf

[discard]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

This is not working for you?

/K

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 01:02 PM

No, that is not working for me. I think it has something to do with the events being forwarded.

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 12:06 PM

Version = 5.0.2

0 Karma
Reply

lukejadamec
Super Champion
‎12-10-2013 12:03 PM

What version of splunk are you using?

0 Karma
Reply

jwarfel
New Member
‎12-10-2013 11:47 AM

Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-10-2013 11:27 AM

What parts of the events do you want transform, and why?

In any case, you do know that the props/transforms settings should be configured on the indexer, right?

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/k

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...