Hi Splunkers & Splunkettes,
I have a Splunk Indexer/Search Head running on a WIndows platform and I'm trying to import a text file containing archived Windows Event Log (Application) events as you would any other type of log file.
[monitor://<path_to_file>/WindowsEventLog_Application.txt]
followTail = 0
host_segment = 3
index = winevents
sourcetype = WinEventLog:Application
queue = parsingQueue
The issue is, no field extractions take place for the events I put in by this method, but they do work for events collected locally via the [WindowsEventLog:Application] in the inputs.conf.
So despite both:
- Have the same sourcetype (
WinEventLog:Application) - Are in the same index
- Are accessed & visible in the same app
One works (the local event log interrogation), and one doesn't (mine :P)
I'd rather not reinvent the wheel and create all new props & transforms, when it's obviously in there and working for other data.
Any ideas?
PS. Splunk has been restarted.