Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to send WindowsEventlogs to different index

mileven
Explorer
‎12-20-2013 02:51 PM

Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index=machine
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index=machine

Props.conf
[WinEventLog:Application]
TRANSFORMS-FilterEvents = Win_App_Log_FilterErrorEvents

[WinEventLog:System]
TRANSFORMS-FilterEvents = Win_Sys_Log_FilterErrorEvent

transform.conf

[Win_App_Log_FilterErrorEvents]
REGEX = (?ism)Type=Error|Critical
DEST_KEY = queue
FORMAT = nullQueue

[Win_Sys_Log_FilterErrorEvent]
REGEX = (?ism)Type=Error|Critical
DEST_KEY = queue
FORMAT = nullQueue

This is for the security event log

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5
whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141
index = labser_av_ads

I cant' see anything wrong with this.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎12-20-2013 04:55 PM

See this answer for the indextime index routing.
http://answers.splunk.com/answers/76609/routing-window-system-logs-to-a-different-index

0 Karma
Reply

Lowell
Super Champion
‎12-20-2013 03:35 PM

So what behavior are you seeing? BTW, why do you have [WinEventLog://Application] instead of just [WinEventLog:Application]? What's the "\\" for?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...