Getting Data In

Windows Event Forwarding

Rhidian
Path Finder

I have Windows Event Forwarding Configured and have installed a Universal Forwarder to send events to a Heavy Forward which then sends them on to the Indexers. I only have a basic configuration on the UF but I need to override a couple of fields such as computer name and index etc. I have setup the input.conf, props.conf and transforms.conf as detailed here https://community.splunk.com/t5/Getting-Data-In/how-can-we-split-forwarded-windows-event-logs-by-hos... on the HF but the configuration seems to get ignored.

I have also simplified this to just having the following in the input.conf on the HF but it makes no difference as events still go to the main index.

[WinEventLog://ForwardedEvents]
index=winevtlog
disabled = 0

 

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, there is, but it's much easier and less fragile to set the index on the UF.  IMO, the intermediate HF should be avoided when possible.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The inputs.conf changes should go on the UF because that is where the input takes place.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Rhidian
Path Finder

Is there not a way to change the index from the HF?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, there is, but it's much easier and less fragile to set the index on the UF.  IMO, the intermediate HF should be avoided when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Rhidian
Path Finder

Perfect thanks, any idea why the rest of the transform isn't working all my events are shown as coming from the WEC and not their actual devices also the source is ForwardedEvents and I would like that to be the actual log they came from, can this be done from the HF?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can't help with the transform.  Try posting a new question with the transform in it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...