Splunk Search

Extracting fields from imported Windows Event Logs (text format)

rturk
Builder

Hi Splunkers & Splunkettes,

I have a Splunk Indexer/Search Head running on a WIndows platform and I'm trying to import a text file containing archived Windows Event Log (Application) events as you would any other type of log file.

[monitor://<path_to_file>/WindowsEventLog_Application.txt]
followTail = 0
host_segment = 3
index = winevents
sourcetype = WinEventLog:Application
queue = parsingQueue

The issue is, no field extractions take place for the events I put in by this method, but they do work for events collected locally via the [WindowsEventLog:Application] in the inputs.conf.

So despite both:

  • Have the same sourcetype (WinEventLog:Application)
  • Are in the same index
  • Are accessed & visible in the same app

One works (the local event log interrogation), and one doesn't (mine :P)

I'd rather not reinvent the wheel and create all new props & transforms, when it's obviously in there and working for other data.

Any ideas?

PS. Splunk has been restarted.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well, you can see the extractions in the $SPLUNK_HOME/etc/system/default/props.conf. If you look there, you'll see that the extractions are based not on the sourcetype, but on the source. Since your source is different, it doesn't work. Now, you could also make it work by overriding your source with a "source = WinEventLog:Application" setting in inputs.conf. Though probably you don't want to.

rturk
Builder

Cheers, I'll give that a try (although I think I did override the source, resulting in the host extraction via 'host_segment' not working). I'll test it and let you know.

0 Karma

rturk
Builder

So I've made a bit of a work-around, but I'd still be interested to know why an existing sourcetype doesn't apply to my data when they are the same.

props.conf

[WindowsEventLog:Application]
REPORT-header_kv_extract = WinEventLog-kv_colon

transforms.conf

[WinEventLog-kv_colon]
REGEX = ^\s{2}([^:]+):\s+([^\n]+)
FORMAT = $1::$2

This performed my key/value extractions (for the time being).

0 Karma

rturk
Builder

Yep that's a typo (couldn't copy & paste as I was on another server)

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I assume it's a typo that you have WindowsEventLog in your stanza header rather than WinEventLog

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...