Hi
A nullQueue procedure is need in multiline data, such as in a Windows security log.
The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.
If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.
But I have to get another EventCode.
Is there a good way?
-- example data--
08/09/2019 12:21:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=info
ComputerName=PC01
Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.
1) Edit props.conf
and add the following (Modify sourcetype accordingly):
[winSecurityLog]
TRANSFORMS-set= setnull,setparsing
2) Edit transforms.conf
and add the following:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = PC0[1-2]
DEST_KEY = queue
FORMAT = indexQueue
Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad
It doesn't fit the above conditions.
Is this your condition?
if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)
then
Send_To_NullQueue
else
Send_to_IndexQueue