Getting Data In

how can we split forwarded windows event logs by host?

Path Finder

We are using windows event log forwarding to extract the security logs from 100 plus servers to a central location where a splunk forwarder pushes the logs to a Splunk indexer

The problem we have is that the host and source for all events is the server where it Splunk forwarder is installed.

Is there a way of tagging each event with the ORIGINAL server which is included in the event before it gets to the indexer?

Tags (1)
0 Karma


Yes, this is an old post - but I'll answer it anyway in case someone else is using Windows Event Forwarding and comes across this. Assuming you are monitoring the Forwarded Events log in Windows with using a Splunk forwarder, add the following props and transforms entries on an indexer or heavy forwarder:

In props.conf:

TRANSFORM=host = win-host-computername

In transforms.conf:

DEST_KEY = MetaData:Host
REGEX = ComputerName=([^\s\.]+)
FORMAT = host::$1

The transforms entry will strip fully qualified domain names if they are present. if you want to extract a complete fqdn instead of the hostname only, use (\S+) instead of ([^\s\.]+)

This all assumes that you're monitoring the Forwarded Events log with an inputs.conf definition that looks something like this:

# Note that there must be no space between 'Forwarded' and 'Events.
disabled = 0


Thanks. I've been trying to get this working, and it seems like something is still missing. I'm getting forwarded events into Splunk, but the source host is still the computer name of my event collector, not the computers that originally forwarded the events. Any additional suggestions would be appreciated. (It looks to me like there might be a typo in your suggested props.conf file entry, I think I fixed that on my agent, but still no luck.)

0 Karma


As jonuwz said, sample events would help us help you. Also, how are the events stored on the server that has the forwarder - as individual files, as one big file, organized in directories, etc?

You can set the host for the inputs on the forwarder. You can set the host name based on the name of the input flle, the directory, or even part of the file name. However, on a universal forwarder you can only set the host name on a per-input basis. If your environment mixes events from different hosts into a single file, the universal forwarder can't handle that. This is the approach I would try first.

But if the forwarder is a "heavy forwarder", you can parse the individual events before sending them to the indexer. You would need to set up the parsing (using transforms.conf) to identify the host for each event. That would give you a chance to set the host before forwarding the events. This is not as efficient, so it is not my first choice.

In fact, you can do the same parsing on the indexer itself; a "heavy forwarder" is not usually needed. Again, it is not as efficient as the specify-by-input approach of the Universal Forwarder.

Of course, I think it would be better to put the Universal Forwarder on all of the 100+ servers... but that might not be a reasonable solution, especially in the short term.

0 Karma


If you can show a few sample events (sanitized of course), we can help you set it up. And you could probably even do it on the indexers instead of the heavy forwarder...

0 Karma

Path Finder

These are standard windows event logs. One of the limitations with this method is that all the servers feed there logs into signal event view called "forwarded events".

They do have the name of the originating computer within the event, so I guess the heavy forwarder will be the way to go...

0 Karma


Probably not, but if the event contains the hostname anywhere, you can have the indexer extract the hostname and set the host field before its indexed. Have you got a sample event ?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!