topic Windows event log fields are not extracted properly in All Apps and Add-ons

Windows event log fields are not extracted properly

sh_tavousi — Thu, 11 Feb 2021 09:44:45 GMT

In some instances, Windows event log fields are not extracted properly but in others they are extracted properly.

Re: Windows event log fields are not extracted properly

yeasuh — Thu, 11 Feb 2021 16:33:33 GMT

Hi my name is Yeasuh and I am a Community Content Specialist for Splunk Answers. Thank you for participating in the Splunk Answers community. To increase your chances of getting help from the community, please make sure that the title/subject line you use is descriptive and explains the question with enough detail. When posting questions in the future, please provide more information and context.

Thanks!

Re: Windows event log fields are not extracted properly

gcusello — Thu, 11 Feb 2021 16:42:32 GMT

Hi @sh_tavousi,

could you describe better your need?

what do you mean with instances?
are you using the Splunk_TA_Windows?
which fields aren't extracted properly?

Ciao.

Giuseppe

Re: Windows event log fields are not extracted properly

sh_tavousi — Sat, 13 Feb 2021 05:20:13 GMT

When I search source="wineventlog:security" or "wineventlog:system" in some hosts in search head, results are not extracted. They are raw but others are extracted properly. I have installed UF on hosts and also I have used Splunk_TA_Windows.

I've looked at a lot of conf files and no luck as of yet.

Shohre

Re: Windows event log fields are not extracted properly

gcusello — Sun, 14 Feb 2021 08:50:24 GMT

Hi @sh_tavousi,

did you installed Splunk_TA_windows only on Forwarders or also on Search Heads?

Which fields aren't recognized?

Did you run the searches always in Verbose Mode?

Ciao.

Giuseppe

Re: Windows event log fields are not extracted properly

sh_tavousi — Wed, 17 Feb 2021 06:42:39 GMT

Yes, I installed Splunk_TA_windows on Forwarders and on Search Heads.

In WinEventLog :security and WinEventLog:system, all fields are not extracted like Event Code, Event ID, Account Name and ... . However other hosts do not have any problems and I have all field extracted.

I do not run searches in Verbose Mode. My search is " index=main source=WinEventLog :security" and then results in some hosts are not extracted.

Shohre

Re: Windows event log fields are not extracted properly

gcusello — Wed, 17 Feb 2021 07:40:41 GMT

Hi @sh_tavousi,

it's a very strange behavior!

please some last checks:

logs recognized and not recognized are in the same language? I had some problem having logs from some server in Italian instead of English.
sourcetype is the same in both logs?

Ciao.

Giuseppe

Re: Windows event log fields are not extracted properly

sh_tavousi — Sun, 21 Feb 2021 06:06:24 GMT

Hi Giuseppe,

Yes, logs recognized and not recognized are in the same language.

Sourcetype is note the same in both logs. In extracted logs sourcetype=wineventlog but in not recognized logs sourcetype=xmlwineventlog.

Shohre.

Re: Windows event log fields are not extracted properly

gcusello — Mon, 22 Feb 2021 07:16:22 GMT

Hi @sh_tavousi,

this is the problem: field extractions are usually related to sourcetype, if you have a different sourcetype, surely you haven't the same extractions.

So you have two ways to solve the problem:

override the sourcetype value,
duplicate windows extraction for xmlwineventlog.

the first solution is easier: you have to change the sourcetype assign in input or add an overriding on Indexers or (when present) on Heavy Forwarders (for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Advancedsourcetypeoverrides ).

If you want to maintain a different sourcetype, you have to create all the extractions you need using regexes.

Ciao.

Giuseppe

Re: Windows event log fields are not extracted properly

gcusello — Sat, 06 Mar 2021 16:02:18 GMT

Hi @sh_tavousi,

Good for You.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉