I have installed the heavy forwarder on a windows machine in order to filter Windows Event Log events . I would like to forward only events of Type=Warning and Type=Error
But it doesn't work
I have created a file props.conf and a file transforms.conf
where should I put these files ? In $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps/SplunkForwarder/local ?
Can somebody help me because I am working on this since several days without any solution. Thanks
The content of props.conf is :
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=FilterSec
[WMI:WinEventLog:System]
TRANSFORMS-wmi=FilterSys
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=FilterApp
Content of transforms.conf:
[FilterSys]
REGEX= (?msi)^Type=Information
DEST_KEY= queue
FORMAT= nullQueue
[FilterSec]
REGEX= (?msi)^Type=Information
DEST_KEY= queue
FORMAT= nullQueue
[FilterApp]
REGEX= (?msi)^Type=Information
DEST_KEY= queue
FORMAT= nullQueue
Verify what is the exact final sourcetype of your events with a search.
I suspect that your props stanza should be like :
[WinEventLog:Security]
I have wrecked my brains over this and still can't get it to work!! Here are my config files
Inputs.conf
[WinEventLog:Application]
disabled = 0
[WinEventLog:System]
disabled = 0
props.conf
[WinEventLog:Application]
TRANSFORMS-wmi = FitlerApp
[WinEventLog:System]
TRANSFORMS-wmi = FilterSys
transforms.conf
[FilterApp]
REGEX = (?msi)^Type=Information
DEST_KEY = queue
FORMAT = nullQueue
[FilterSys]
REGEX = (?msi)^Type=Information
DEST_KEY = queue
FORMAT = nullQueue
I was putting all of these files in C:\Program Files\Splunk\etc\system\local but after reading alain_bettiol post, I moved the transforms.conf and props.conf files into C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local and it still doesn't work! What am I doing wrong? Please advise!
You were right, it seems to work now.
I have used this stanza [WinEventLog:..] insteadof [WMI:WinEventLog:..] and now it works. I hve also moved props.conf and transforms.conf into folder $SPLUNK_HOME/apps/SplunkForwarder/etc/local otherwise it doesn't work.
Thanks for your help
Verify what is the exact final sourcetype of your events with a search.
I suspect that your props stanza should be like :
[WinEventLog:Security]