Splunk Search

Trying to send WindowsEventlogs to different index

Explorer

Currently trying to limit logs out of the application, security, and system logs. I want to send only application and system critical/error to one index and security to a different index.

[WinEventLog://Application]
checkpointInterval = 5
currentonly = 0
disabled = 0
start
from = oldest
index=machine
[WinEventLog://System]
checkpointInterval = 5
currentonly = 0
disabled = 0
start
from = oldest
index=machine

Props.conf
[WinEventLog:Application]
TRANSFORMS-FilterEvents = WinAppLog_FilterErrorEvents

[WinEventLog:System]
TRANSFORMS-FilterEvents = WinSysLog_FilterErrorEvent

transform.conf

[WinAppLogFilterErrorEvents]
REGEX = (?ism)Type=Error|Critical
DEST
KEY = queue
FORMAT = nullQueue

[WinSysLogFilterErrorEvent]
REGEX = (?ism)Type=Error|Critical
DEST
KEY = queue
FORMAT = nullQueue

This is for the security event log

[WinEventLog:Security]
disabled = 0
startfrom = oldest
current
only = 0
evtresolveadobj = 0
checkpointInterval = 5
whitelist = 4674,4720,4725,4726,4727,4728,4740,4947,5136,5137,5141
index = labser
av_ads

I cant' see anything wrong with this.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee
0 Karma

Super Champion

So what behavior are you seeing? BTW, why do you have [WinEventLog://Application] instead of just [WinEventLog:Application]? What's the "\\" for?

0 Karma