Getting Data In
Highlighted

WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Splunk Employee
Splunk Employee

After upgrading my Windows servers 2003 to Splunk 6. I discovered that all my nullQueues filter stopped working, and I indexed mode data than before.

I checked, and the reason is that the sourcetype name for the WinEventLog has a different case for the first letter of the channel :

  • WinEventLog:Security
  • WinEventLog:System
  • WinEventLog:Application
  • WinEventLog:Capitalized-channel-name

became under Splunk 6 for Win 2003 only

  • WinEventLog:security
  • WinEventLog:system
  • WinEventLog:application
  • WinEventLog:smallcaps-channel-name

FYI my filter on the indexers and heavy forwarders were :

  • in props.conf

[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

  • in transforms.conf

[MyNullQueueFilter]
REGEX = (Windows Update)
DEST_KEY = queue
FORMAT = nullQueue

Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Splunk Employee
Splunk Employee

This is a known bug SPL-78726, the fix is not yet released in Splunk 6.0 or 6.0.1

For the search, the sourcetypes are case insensitive, so you will find the events.
But for the props.conf matching the regex and stanza are case sensitive, so they may not apply anymore.

Workaround :

  • change your props.conf to match all your formats

`
[WinEventLog:Security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter

[WinEventLog:security]
TRANSFORMS-nullqueuefilter=MyNullQueueFilter
`

  • force the sourcetype name in the inputs.conf


[WinEventLog://Security]
sourcetype=WinEventLog:Security

View solution in original post

Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Explorer

which inputs.conf should I change this in the apps or the system/local directory?

0 Karma
Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Splunk Employee
Splunk Employee

As you wish,
- system/local will always win, so this is a very definitive place to change
- While an app can be deployed easily to all instances using a deployment server

0 Karma
Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Explorer

So do we change the props.conf on the forwarder or indexer? Also, are these two separate workarounds that will solve the issue or are they to be used together?

0 Karma
Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Splunk Employee
Splunk Employee

the indextime filters only applies on the instances parsing the events : Indexers and Heavy forwarders (if any)

If you had custom props.conf that were working, change they were they already exist.

0 Karma
Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Explorer

Thank you for your response however I'm not sure what you're saying here could you please clarify?

0 Karma
Highlighted

Re: WinEventLog filters failing :Windows 2003 and splunk 6 SPL-78726

Splunk Employee
Splunk Employee

change on Indexers and Heavy forwarders

0 Karma