Getting Data In

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

yannK
Splunk Employee
Splunk Employee

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.

I checked, and the reason is that the sourcetype name for the WinEventLog has a different case for the first letter of the channel :

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Capitalized-channel-name

became under Splunk 6 for Win 2003 only

  • WinEventLog:security
  • WinEventLog:system
  • WinEventLog:application
  • WinEventLog:smallcaps-channel-name

FYI my filter on the indexers and heavy forwarders were :

  • in props.conf

[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

  • in transforms.conf

[MyNullQueueFilter]
REGEX = (Windows Update)
DEST_KEY = queue
FORMAT = nullQueue

1 Solution

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

View solution in original post

yannK
Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

yannK
Splunk Employee
Splunk Employee

change on Indexers and Heavy forwarders

0 Karma

aberdamy
Explorer

Thank you for your response however I'm not sure what you're saying here could you please clarify?

0 Karma

yannK
Splunk Employee
Splunk Employee

the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)

If you had custom props.conf that were working, change they were they already exist.

0 Karma

aberdamy
Explorer

So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?

0 Karma

yannK
Splunk Employee
Splunk Employee

As you wish,
- system/local will always win, so this is a very definitive place to change
- While an app can be deployed easily to all instances using a deployment server

0 Karma

aberdamy
Explorer

which inputs.conf should I change this in the apps or the system/local directory?

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...