https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692637#M17967 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244593">@Chiranjeev</a>&nbsp;,</P><P>what's the format of your logs?</P><P>it's the standard windows or a different one?</P><P>I experienced many issues using a concentrator for windows logs.</P><P>If the format is different, you shuld reparse them.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 Jul 2024 12:25:09 GMT gcusello 2024-07-08T12:25:09Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692601#M17959 <P>I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of <STRONG>success&nbsp;</STRONG>,but nothing is being extracted and this eventcode constitutes majority of the data .the status is being extracted correctly&nbsp; as success.does anyone know how action is being extracted for this eventcode.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 08 Jul 2024 08:13:39 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692601#M17959 Chiranjeev 2024-07-08T08:13:39Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692615#M17961 <P>There is something wrong.</P><P>But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed.</P><P>My glass orb is undergoing annual maintenance...</P> Mon, 08 Jul 2024 10:01:03 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692615#M17961 PickleRick 2024-07-08T10:01:03Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692621#M17962 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244593">@Chiranjeev</a>&nbsp;,</P><P>did you enabled inputs in the add-on? by default they are disabled.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 Jul 2024 10:24:11 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692621#M17962 gcusello 2024-07-08T10:24:11Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692627#M17963 <P>we have a centralized collector via WEF for our windows logs where a uf with windows addon is sending logs to splunkcloud,where also we have a ta addon .</P> Mon, 08 Jul 2024 11:26:19 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692627#M17963 Chiranjeev 2024-07-08T11:26:19Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692628#M17964 <P>inputs are enabled for system,app,security logs&nbsp; ,its just action field is not being correctly extracted for event codes</P> Mon, 08 Jul 2024 11:36:02 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692628#M17964 Chiranjeev 2024-07-08T11:36:02Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692637#M17967 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244593">@Chiranjeev</a>&nbsp;,</P><P>what's the format of your logs?</P><P>it's the standard windows or a different one?</P><P>I experienced many issues using a concentrator for windows logs.</P><P>If the format is different, you shuld reparse them.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 Jul 2024 12:25:09 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692637#M17967 gcusello 2024-07-08T12:25:09Z https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692648#M17968 <P>OK. Show us one of your 4624 events found in verbose mode (blur sensitive data if needed).</P><P>BTW, looking at my 4624 events I don't see anything that should yield action=success extraction.</P> Mon, 08 Jul 2024 14:57:09 GMT https://community.splunk.com/t5/Security/windows-ta-addon-not-extracting-action/m-p/692648#M17968 PickleRick 2024-07-08T14:57:09Z