Getting Data In

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

yannK
Splunk Employee
Splunk Employee

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.

I checked, and the reason is that the sourcetype name for the WinEventLog has a different case for the first letter of the channel :

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Capitalized-channel-name

became under Splunk 6 for Win 2003 only

  • WinEventLog:security
  • WinEventLog:system
  • WinEventLog:application
  • WinEventLog:smallcaps-channel-name

FYI my filter on the indexers and heavy forwarders were :

  • in props.conf

[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

  • in transforms.conf

[MyNullQueueFilter]
REGEX = (Windows Update)
DEST_KEY = queue
FORMAT = nullQueue

1 Solution

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

View solution in original post

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

yannK
Splunk Employee
Splunk Employee

change on Indexers and Heavy forwarders

0 Karma

aberdamy
Explorer

Thank you for your response however I'm not sure what you're saying here could you please clarify?

0 Karma

yannK
Splunk Employee
Splunk Employee

the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)

If you had custom props.conf that were working, change they were they already exist.

0 Karma

aberdamy
Explorer

So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?

0 Karma

yannK
Splunk Employee
Splunk Employee

As you wish,
- system/local will always win, so this is a very definitive place to change
- While an app can be deployed easily to all instances using a deployment server

0 Karma

aberdamy
Explorer

which inputs.conf should I change this in the apps or the system/local directory?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...