Solved: Log Ingest

Pabloabad · ‎20 Jun 2024

Good morning,
I have activated the option to ingest the logs from the wiondows event viewer, but I would like to ingest only the logs that come from a specific "winlog.provider".
Is it possible to do this and not ingest the rest? or should I always filter from logs and events to be able to see it?

Esam_Eid · ‎20 Jun 2024

you need to create processing rule to drop the unwanted logs

https://docs.dynatrace.com/managed/observe-and-explore/log-monitoring/log-processing/log-processing-...

https://docs.dynatrace.com/managed/shortlink/log-monitoring-log-processing-examples

Regards,

Dynatrace Certified Professional

Pabloabad · ‎20 Jun 2024

Thanks for the answer.

But actually is harder for us to filter out all the logs that we don't want than filter in the ones that we want.

Is it posible to make a rule to filter only the logs we want?

Esam_Eid · ‎20 Jun 2024

Create a processing rule like

matcher

log.source="Windows Application Log" AND winlog.provider!=".Net Runtime" AND dt.entity.process_group_instance="XXXXXXX"

process definition

FILTER_OUT(true)

move it to the last rule

Hopefully it will work for you

Dynatrace Certified Professional

Pabloabad · ‎20 Jun 2024

Still get this response in DQL Query

Esam_Eid · ‎20 Jun 2024

Try Without matchesvalues. Are you using classic logs?

Dynatrace Certified Professional

Eric_Yu · ‎20 Jun 2024

Seems like there isn't a filter for winlog.provider, but a workaround could be to use another property that you've identified that only comes with logs that come from that provider.

My first thought would be to use the log content with wildcards for matching:

However, you can try other attribute that makes more sense to you. Hope it helps.

Eric Yu | LATAM ACE Consultant