Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

split windows event log

mrain7
New Member
‎02-16-2014 08:27 PM

Windows event log, I want to index only part of the message

exemple

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5447
EventType=0

SourceName order to index only part of what should you do?

Tags (1)
0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 10:40 PM

If you are running Splunk 6 on your forwarders, there are options for filtering what events and parts of the events you grab.

Otherwise, you should check out the docs info on how to Anonymize data, but rather than using the SED props configuration for anonymizing your data, you would be removing the parts you don't want to index.

HTH,

Dave

Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:55 PM

No problem. In the props.conf on your indexer or heavy forwarder, you would need to add the following:

[WinEventLog:Security]

SED-remove_before_message = (?s).*(?=Message=)

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:49 PM

sorry.

02/17/2014 01:33:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=정보
ComputerName=NIG-PC
TaskCategory=프로세스 만들기
OpCode=정보
RecordNumber=4470383
Keywords=감사 성공
Message=새 프로세스가 만들어져 있습니다.

I want to index the part in bold.

thanks

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:36 PM

I'm sorry, I don't know what you mean by "text hm"

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:31 PM

thank you

but..i need message text hm..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...