I am trying to make splunk less noisy and filter out some of our 4688 events. I have tried to use the Ingest Action on our Indexer but when I select our sourcetype "WMI:WinEventLog:Security" none of the data appears when I pull a sample. If I run a straight search query I can see the data and filter down to the correct events I want to filter out. Is there something I'm missing?
I ran into a similar issue, and there could be at least two reasons for this. Here is the search the wizard generates:
index=* OR index=_* _sourcetype="WinEventLog" | where _sourcetype="WinEventLog" | head 100
1. The Ingest Sample Data wizard uses the "where" search command, which is case sensitive. So make sure the sourcetype case matches how it actually shows up in events. WinEventLog is not the same is wineventlog.
2. The wizard also uses the _sourcetype field instead of the sourcetype field. That means that if there is any sourcetype transformation happing already, the _sourcetype field will have the original sourcetype. You can check this by searching for your events and adding this _souredcetype field (which is normally hidden).
index=* sourcetype="winEventLog" | head 100 | eval orig_sourcetype=_sourcetype
Patrick
