I am using Universal Forward to collect Windows Security logs from my Domain Controllers. All the logs were being dumped into the "default" (main) index, and we wanted to move to a new index.
I created a new index called "windows". I changed the "c:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf" file on the DCs and modified as such:
[default]
host = DCHostName
[WinEventLog://Security]
index=windows
I restarted the Universal Forwarder service. I confirmed that the new events are being written to the new index. That is working correctly.
I wanted to move the "old" logs that has been written to the "main" index to the "windows" index, so I used this command:
index=main AND sourcetype="WinEventLog:Security" | collect index=windows sourcetype="WinEventLog:Security"
I verified that all the logs moved by comparing the count:
(index=main OR index=windows) AND sourcetype="WinEventLog:Security" | stats count(EventCode) by index
Since all the logs, moved, I deleted the logs from the main index"
index=main AND sourcetype="WinEventLog:Security" | delete
However, I discovered several of the fields are being parsed/index/identified correctly. For example, Account_Name is NULL, and Keywords is NULL for all of the logs that were moved from main index to windows index. New logs that are written are being indexed/parsed/identified correctly.
Did I miss a step? shouldn't all of the fields that were moved from the "main" index be indexed in the "windows" index? They were properly index/parsed/identified before I moved from main.
All of my dashboards and reports that were correct previously, are blank or incorrect now - because the field value pairs aren't being properly identified.
Thanks for any help can provide!
... View more