Getting Data In

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

yannK
Splunk Employee
Splunk Employee

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.

I checked, and the reason is that the sourcetype name for the WinEventLog has a different case for the first letter of the channel :

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Capitalized-channel-name

became under Splunk 6 for Win 2003 only

  • WinEventLog:security
  • WinEventLog:system
  • WinEventLog:application
  • WinEventLog:smallcaps-channel-name

FYI my filter on the indexers and heavy forwarders were :

  • in props.conf

[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

  • in transforms.conf

[MyNullQueueFilter]
REGEX = (Windows Update)
DEST_KEY = queue
FORMAT = nullQueue

1 Solution

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

View solution in original post

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

yannK
Splunk Employee
Splunk Employee

change on Indexers and Heavy forwarders

0 Karma

aberdamy
Explorer

Thank you for your response however I'm not sure what you're saying here could you please clarify?

0 Karma

yannK
Splunk Employee
Splunk Employee

the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)

If you had custom props.conf that were working, change they were they already exist.

0 Karma

aberdamy
Explorer

So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?

0 Karma

yannK
Splunk Employee
Splunk Employee

As you wish,
- system/local will always win, so this is a very definitive place to change
- While an app can be deployed easily to all instances using a deployment server

0 Karma

aberdamy
Explorer

which inputs.conf should I change this in the apps or the system/local directory?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...