I am trying to remove the extra description text that gets appended to windows 2k8 logs using SEDCMD in props.conf. However, I can't seem to get it to work, no matter what i use as my expression. I am receiving events from a light forwarder on a windows box that is pulling the events using WMI from our domain controllers. The indexer is actually a linux box.
This is what I have in props.conf
[source::WMI:WinEventLog:Security]
SEDCMD-remwinstr = s/(?ism)This event is generated.*$//g
Nothing is being removed. I've tried all kinds of variations on both the stanza name as well as the regular expression itself. I've tried just [WMI:WinEventLog:Security], [WMI:WinEventLog*], [WMI*], and even the name of one of the hosts: [host::<hostname>]
I've also tried different variations of the regex. Even something like this doesn't do any replacement:
SEDCMD-remwinstr = s/(?ism)This/That/g
I've tried with and without (single or double) quotes around the entire part after the = as well. Thoughts?
The problem is that the source
of WMI:WinEventLog:Security
is not actually set to WMI:WinEventLog:Security
at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::]
stanza rule you have does not match against the data.
You'd actually a stanza to match against sourcetype [wmi]
to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.
The problem is that the source
of WMI:WinEventLog:Security
is not actually set to WMI:WinEventLog:Security
at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::]
stanza rule you have does not match against the data.
You'd actually a stanza to match against sourcetype [wmi]
to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.
Just came across this post. Is there a ref somewhere for what the initial source/sourcetypes are? Can I find it in a forwarder log?
Same problem with sourcetype I'm afraid. It is transformed at the same time as source. On the other hand, several million events per day isn't that much for a standard Splunk server to handle.
That worked. I will have to watch the performance as we will be looking at several million events a day just from all the DCs. Is it not possible to specify a sourcetype of [wmi:wineventlog:security] as that is what is shown in the search results, or is the sourcetype changed via a transform as well?
yep. every time I make a change, I restart splunk through the manager UI.
Have you restarted Splunk after putting your SEDCMD stanza in place?