Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

split windows event log

mrain7
New Member
‎02-16-2014 08:27 PM

Windows event log, I want to index only part of the message

exemple

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5447
EventType=0

SourceName order to index only part of what should you do?

Tags (1)
0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 10:40 PM

If you are running Splunk 6 on your forwarders, there are options for filtering what events and parts of the events you grab.

Otherwise, you should check out the docs info on how to Anonymize data, but rather than using the SED props configuration for anonymizing your data, you would be removing the parts you don't want to index.

HTH,

Dave

Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:55 PM

No problem. In the props.conf on your indexer or heavy forwarder, you would need to add the following:

[WinEventLog:Security]

SED-remove_before_message = (?s).*(?=Message=)

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:49 PM

sorry.

02/17/2014 01:33:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=정보
ComputerName=NIG-PC
TaskCategory=프로세스 만들기
OpCode=정보
RecordNumber=4470383
Keywords=감사 성공
Message=새 프로세스가 만들어져 있습니다.

I want to index the part in bold.

thanks

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:36 PM

I'm sorry, I don't know what you mean by "text hm"

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:31 PM

thank you

but..i need message text hm..

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...