Hello experts,
I have recently onboarded around 300 windows devices. I have followed the onboarding guide and getting the logs ingested as required but for one field i.e. sourcetype. The source and sourcetype is updated as below
source = WinEventLog:System
sourcetype = wineventlog
Can someone please help in identifying the issue.
Thanks
NOTE: based on the OP comments, this is a common problem specifically for WinEventLog and use case mapping when uploading a CSV into WinEventLog. However, this could pertain to their situation as well since the actual source of the data was not stated (CSV, JSON, etc).
======================================
The issue is more to the 'transform.conf' vs the 'input.conf'.
Since this requires the 'transform.conf' to be edited, you will need CLI access and cannot perform this via the GUI itself (cannot be accomplished solely via: Settings --> Fields --> Field Alias) since the 'transform.conf' cannot be edited from within the GUI. (If there is a way to do this, PLEASE let me know!)
Props.conf & transforms.conf
1. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf"
[windows_csv]
rename = WinEventLog
[source::EventCode.csv]
TRANSFORMS-fixcsv = windows-classic-csv
===========================================
2. Edit the file: "$SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf"
[windows-classic-csv]
DEST_KEY = MetaData:Source
REGEX = ,wineventlog:(\S+),
FORMAT = source::WinEventLog:$1
===========================================
-Restart Splunkd (when acceptable to do so) for config changes to take effect, since you edited the "transform.conf" file.
-Import file should be named 'EventCode.csv'
-Sourcetype during add data import should be 'windows_csv' (copied from regular csv sourcetype)
Hi @bbiswabhusan,
I suppose that you're using the Splunk_TA-Windows for ingesting those logs.
What's the problem you had?
Could you better describe the anomalies you have?
Ciao.
Giuseppe
Yes @gcusello , im using the windows TA, but the sourcetype is not extracted properly. its coming as sourcetype = wineventlog while the source is WinEventLog:Security.
Hi @bbiswabhusan,
If this is your problem, you could force the correct sourcetype in the inputs.conf so you have the correct mapping.
Ciao.
Giuseppe
@gcusello , I already have the below in inputs.conf
[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0
Do I need to add anything else
Hi @bbiswabhusan,
did you tried to force the sourcetype in inputs.conf:
[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0
sourcetype = WinEventLog
or
[WinEventLog://Security]
persistentQueueSize = 1GB
disabled = 0
sourcetype = XmlWinEventLog
Ciao.
Giuseppe
@gcusello i havent yet tried that as generally that wasnt required. Is there any specific reason why its not working.
Hi @bbiswabhusan,
what do you mean with "not working"?
fields aren't extracted?
what's the sourcetype associated with your logs?
Could you share a screen of your logs and fields?
Ciao.
Giuseppe