Forums: SplunkGeneral: Change in 3.3 and forwarding.

So I have upgraded our lightweight forwarder to 3.3. Everything looks good, but on my index server, i see that the logs that are forwarded show up a little differently.

Previously, if an event log was forwarded, it would pop up like this on the index server

Scope, 192.168.100.0, is 45 percent full with only 25 IP addresses remaining.

But after the 3.3 upgrade, the logs are starting to show up like this

1215834827
Category=0
CategoryString=none
EventCode=1020
EventType=2
Type=Warning
Message=Scope, 192.168.100.0, is 45 percent full with only 25 IP addresses remaining.

How do i remove the extraneous pieces of info?

Ah yes, this is the new Windows Event Log format that was decided on. I don't think there is a way to just view the event, as the "Message" field isn't extracted right. Let me file a bug.

Another thing I noticed, is (probably due to this bug), a single event log will get truncated into two. I'm hoping that once that bug gets fixed, that it will report a complete event log in one field.

I have previously noticed an issue with the line breaking on Windows events and filed a bug on it.

On the other note, I filed a case with support and talked to the product managers about the Windows Event Log format. Bugs were filed on the timestamp being in epoch time and the Message field not being extracted properly. They would like to know what the ideal format would be for the raw message.