Hi Team,
it worked for me
[WinEventLog://System]
disabled = 0
whitelist1 = Type="^[Error]"
whitelist2 = Type="^[Critical]"
whitelist3 = Type="^[Warning]"
index = test
index = test
I suggest you to replace [] with (), characters between [] will match individually for example
[Error] - matches E or r or r or o or r anywhere in the event.
(Error) -matches only Error
Also If I don't know the error Eventcode and only based on Type(Error/Warning) want to collect the "Application" and "Sysytem" logs
What will be my inputs.conf in this scenario while on-boarding data from UF to Indexer
try below:
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="^(1001|11707)$"
index = test
[WinEventLog://System]
disabled = 0
whitelist1 = EventCode="7011" #no space between whitelist and number
whitelist2 = Type="^(Error|Critical)$"
index = test