Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Windows Event Forwarding

Rhidian
Path Finder
‎04-21-2021 09:26 AM

I have Windows Event Forwarding Configured and have installed a Universal Forwarder to send events to a Heavy Forward which then sends them on to the Indexers. I only have a basic configuration on the UF but I need to override a couple of fields such as computer name and index etc. I have setup the input.conf, props.conf and transforms.conf as detailed here https://community.splunk.com/t5/Getting-Data-In/how-can-we-split-forwarded-windows-event-logs-by-hos... on the HF but the configuration seems to get ignored.

I have also simplified this to just having the following in the input.conf on the HF but it makes no difference as events still go to the main index.

[WinEventLog://ForwardedEvents]
index=winevtlog
disabled = 0

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 01:24 PM

Yes, there is, but it's much easier and less fragile to set the index on the UF.  IMO, the intermediate HF should be avoided when possible.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 09:49 AM

The inputs.conf changes should go on the UF because that is where the input takes place.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Rhidian
Path Finder
‎04-21-2021 11:59 AM

Is there not a way to change the index from the HF?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2021 01:24 PM

Yes, there is, but it's much easier and less fragile to set the index on the UF.  IMO, the intermediate HF should be avoided when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Rhidian
Path Finder
‎04-21-2021 02:10 PM

Perfect thanks, any idea why the rest of the transform isn't working all my events are shown as coming from the WEC and not their actual devices also the source is ForwardedEvents and I would like that to be the actual log they came from, can this be done from the HF?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-22-2021 05:57 AM

I can't help with the transform.  Try posting a new question with the transform in it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...