I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.
inputs.conf from my Forwarder:
[default]
host = WIN2K3CPT
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = SourceName="^RC_ProcessInstAppService_Failure$"
whitelist1 = SourceName="^RC_ProductTransferService_Failure$"
whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$"
whitelist3 = EventType="Warning"
[monitor://F:\inetpub\wwwroot\T3Report]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = CMC\.txt|RC\.txt
props.conf from the Indexer server:
[srcapplogrc]
TRANSFORMS-index=sendtoapplogrc
transforms.conf from the indexer server:
[sendtoapplogrc]
REGEX=.
DEST_KEY = _MetaData:Index
FORMAT = applogrc
↧
Why are Windows event logs not being forwarded to the specified index with my current configuration?
↧