Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

split windows event log

mrain7
New Member
‎02-16-2014 08:27 PM

Windows event log, I want to index only part of the message

exemple

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5447
EventType=0

SourceName order to index only part of what should you do?

Tags (1)
0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 10:40 PM

If you are running Splunk 6 on your forwarders, there are options for filtering what events and parts of the events you grab.

Otherwise, you should check out the docs info on how to Anonymize data, but rather than using the SED props configuration for anonymizing your data, you would be removing the parts you don't want to index.

HTH,

Dave

Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:55 PM

No problem. In the props.conf on your indexer or heavy forwarder, you would need to add the following:

[WinEventLog:Security]

SED-remove_before_message = (?s).*(?=Message=)

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:49 PM

sorry.

02/17/2014 01:33:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=정보
ComputerName=NIG-PC
TaskCategory=프로세스 만들기
OpCode=정보
RecordNumber=4470383
Keywords=감사 성공
Message=새 프로세스가 만들어져 있습니다.

I want to index the part in bold.

thanks

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-16-2014 11:36 PM

I'm sorry, I don't know what you mean by "text hm"

0 Karma
Reply

mrain7
New Member
‎02-16-2014 11:31 PM

thank you

but..i need message text hm..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...