split windows event log

mrain7 · ‎02-16-2014

Windows event log, I want to index only part of the message

exemple

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5447
EventType=0

SourceName order to index only part of what should you do?

dshpritz · ‎02-16-2014

If you are running Splunk 6 on your forwarders, there are options for filtering what events and parts of the events you grab.

Otherwise, you should check out the docs info on how to Anonymize data, but rather than using the SED props configuration for anonymizing your data, you would be removing the parts you don't want to index.

HTH,

Dave

dshpritz · ‎02-16-2014

No problem. In the props.conf on your indexer or heavy forwarder, you would need to add the following:

[WinEventLog:Security]

SED-remove_before_message = (?s).*(?=Message=)

mrain7 · ‎02-16-2014

sorry.

02/17/2014 01:33:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=정보
ComputerName=NIG-PC
TaskCategory=프로세스 만들기
OpCode=정보
RecordNumber=4470383
Keywords=감사 성공
Message=새 프로세스가 만들어져 있습니다.

I want to index the part in bold.

thanks

dshpritz · ‎02-16-2014

I'm sorry, I don't know what you mean by "text hm"

mrain7 · ‎02-16-2014

thank you

but..i need message text hm..

split windows event log

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services