Hello, I am fairly new to the splunk administration side of things.
I am attempting to change the ingest index for WinEventLog from index=main > index=windows
I am on a single instance splunk enterprise system.
I have tried two methods both on the splunk server:
1. props.conf and transforms.conf
/opt/splunk/etc/system/local/transforms.conf:
[RedirectWinEventLog] REGEX = WinEventLog DEST_KEY = _MetaData:Index FORMAT = windows
[Redirectwineventlog] REGEX = wineventlog DEST_KEY = _MetaData:Index FORMAT = windows
/opt/splunk/etc/system/local/props.conf:
[WinEventLog] TRANSFORMS-index = RedirectWinEventLog
[wineventlog] TRANSFORMS-index = Redirectwineventlog
After restarting splunk and the Windows UF, the logs were still going to index=main
2. input.conf
/opt/splunk/etc/system/local/inputs.conf
[WinEventLog] index = windows
After restarting splunk and the Windows UF, the logs were still going to index=main
I am at my witts end searching documentation and forums.
Any help would be greatly appreciated.
... View more