Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

yannK
Splunk Employee
Splunk Employee
‎01-13-2014 02:39 PM

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.

I checked, and the reason is that the sourcetype name for the WinEventLog has a different case for the first letter of the channel :

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Capitalized-channel-name

became under Splunk 6 for Win 2003 only

  • WinEventLog:security
  • WinEventLog:system
  • WinEventLog:application
  • WinEventLog:smallcaps-channel-name

FYI my filter on the indexers and heavy forwarders were :

  • in props.conf

[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

  • in transforms.conf

[MyNullQueueFilter]
REGEX = (Windows Update)
DEST_KEY = queue
FORMAT = nullQueue

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-13-2014 02:45 PM

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-13-2014 02:45 PM

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-08-2014 11:19 AM

change on Indexers and Heavy forwarders

0 Karma
Reply
Solved! Jump to solution

aberdamy
Explorer
‎04-01-2014 12:50 PM

Thank you for your response however I'm not sure what you're saying here could you please clarify?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-01-2014 09:54 AM

the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)

If you had custom props.conf that were working, change they were they already exist.

0 Karma
Reply
Solved! Jump to solution

aberdamy
Explorer
‎04-01-2014 05:47 AM

So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-31-2014 02:06 PM

As you wish,
- system/local will always win, so this is a very definitive place to change
- While an app can be deployed easily to all instances using a deployment server

0 Karma
Reply
Solved! Jump to solution

aberdamy
Explorer
‎03-31-2014 01:39 PM

which inputs.conf should I change this in the apps or the system/local directory?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...