Alloy, Windows Eventlog and Splunk

cnu80 · April 10, 2025, 1:27pm

Hi,

Is it technically possible to send Windows Eventlog data from Windows with Alloy to Splunk untouched?

We have tried to replace the Splunk forwarder with Alloy, but then the log data is received as JSON in our Splunk instance, and the default Eventlog-Splunk parser does not work.

We are using: loki.source.windowsevent and otelcol.exporter.splunkhec

Thank you, cnu

yosiasz · April 10, 2025, 1:58pm

I believe it does it as json by default.

you could use this to get what you need?

stage.json {
    expressions = {
        level  = "levelText",
        source = "source",
    }
}

thiagorodrigues · April 10, 2025, 11:38pm

You can send Windows Eventlog data to Splunk via Alloy in the native format Splunk expects, but your current setup is converting events to JSON. You need to add an otelcol.processor.transform component to your pipeline to reformat the data before sending it to Splunk HEC. This transform should convert the structured data into the format that Splunk’s default Eventlog parser expects. Configure the HEC exporter with the correct sourcetype (WinEventLog) and ensure your transformation matches Splunk’s expected format.

Topic		Replies	Views
How to use grafana alloy config to send windows event logs to splunk Grafana Alloy templating , loki	0	230	December 18, 2024
Does Alloy convert submitted files to JSON? Grafana Alloy	2	26	February 18, 2025
Transform JSON Windows Event Logs with Alloy Grafana Alloy loki , transformations , json , logs , alloy	7	907	August 16, 2024
Grafana Loki, Alloy and Windows Event Log Grafana Loki	0	86	February 9, 2025
Loki process block leaves log unchanged Grafana Alloy	0	16	March 20, 2025

Alloy, Windows Eventlog and Splunk

Related topics