Reporting

Collecting Windows Events as Both XML and Standard

sturmovik
Observer

Is it possible to collect the same Windows event as both the standard type and as XML (ie setting the renderXml flag to true in inputs.conf) using the universal forwarder?  I have tried two inputs.conf entries for the same event, each sending to a different source type on the same index, but I only receive one set of the events  and its always xml formatted if the xml flag is set.  I suspect that the answer is no or the solution is overly complicated, but I figured I should ask anyway. 

One of my events only has certain information in the XML format and I was looking to avoid having to re-write a lot of existing code to use the XML formatting where it was previously unnecessary. . 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The short answer is no, you can't do both.

Each stanza in a config file is not a separate task.  Instead, Splunk merges the settings for stanzas of the same name.  That's why you get only one copy.

If you need data that's only available from the XML format then you'll have to bite the bullet and re-write the existing code to support XML.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...