Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transforms on Windows Lync Event Logs

kmugglet
Communicator
‎05-08-2014 05:32 PM

I have set up universal forwarders on our Lync servers to send the WinEventLog:Lync Server events back to the indexers and store the event in index cmp_main

 apps/forwarder_lync/local/inputs.conf

[WinEventLog:Lync Server]

index = cmp_main

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

On the indexers I'm trying to split off all events with Type=Error to a different index 'cmp_secure'

apps/indexer_lync/local/props.conf

[WinEventLog:Lync Server]

TRANSFORMS-lync_services_failures_security=lync_services_failures_security

which should then match with the transforms.conf and send it on it's merry way to the new index
apps/indexer_lync/local/transforms.conf

[lync_services_failures_security]

SOURCE_KEY = MetaData:_raw

REGEX = Type=Error

DEST_KEY = _MetaData:Index

FORMAT = cmp_secure

I can't see anything wrong with the code but it refuses to send it to the other index, if I change the index in the inputs.conf it switches so I know the app is getting deployed correctly.

Is it because of the space in "Lync Server" in the props.conf sourcetype? Does that need escaping? I didn't think it did as it's encapsulated in the [].

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmugglet
Communicator
‎05-08-2014 08:34 PM

Ok - answer my own question

I removed the SOURCE_KEY line from the transforms.conf.


As I understood it, MetaData:_raw should be the default anyway, but obviously it doesn't like it in this instance. Maybe the Windows Event Logs are different???

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmugglet
Communicator
‎05-08-2014 08:34 PM

Ok - answer my own question

I removed the SOURCE_KEY line from the transforms.conf.


As I understood it, MetaData:_raw should be the default anyway, but obviously it doesn't like it in this instance. Maybe the Windows Event Logs are different???

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...