Hi,
I need some help 🙂
scheme: 3 Universal Forwarders -> collecting/forwarding -> Indexer
uf:
Changed every UF host (windows:applications and services logs) from to .
indexer:
I added a tcp listener in: Manager -> Forwarding and receiving -> Configure receiving
inputs.conf:
[default]
host = splunk.domain.local
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog:Application]
disabled = 1
[WinEventLog:ForwardedEvents]
disabled = 1
[WinEventLog:HardwareEvents]
disabled = 1
[WinEventLog:Internet Explorer]
disabled = 1
[WinEventLog:Security]
disabled = 1
[WinEventLog:Setup]
disabled = 1
[WinEventLog:System]
disabled = 1
props.conf:
[host::*.domain.local]
TZ = GMT+4
TRANSFORMS-set= setnull,setdbls,kix_exclude_dbls
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setdbls]
REGEX = (?msi)^EventType=(1|2)
DEST_KEY = _MetaData:Index
FORMAT = db_ls
[kix_exclude_dbls]
REGEX = (?msi)^EventCode=(1722|1332|53).+ComputerName=E[1-5]TS1
DEST_KEY = queue
FORMAT = nullQueue
If I comment [setnull] block, all works fine. But logs, which are not EventType=(1|2), will be collected in the default index. If I enable the [setnull] block, ALL logs will be removed. However, I want to put [setdbls] in the "db_ls" index and remove the others.
Thanks.
... View more