topic Re: Duplicate EventCode when using Splunk Add-on for Windows in All Apps and Add-ons

Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim — Fri, 30 May 2025 15:38:29 GMT

Splunk Add-on for Windows is well-known and I am using it to parse my XmlWinEventLog. However, upon using, I am getting EventCode as a duplicated codes in multiline, like this:

4688 4688

I think I could find the reason, as in the transforms.conf, there are 2 function for detecting EventCode:

[EventID_as_EventCode] SOURCE_KEY = EventID REGEX = (.+) FORMAT = EventCode::$1 [EventID2_as_EventCode] REGEX = <EventID.*?>(.+?)<\/EventID>.* FORMAT = EventCode::$1

And in the props.conf, both function is called:

REPORT-EventCode_from_xml = EventID_as_EventCode, EventID2_as_EventCode

However, I have never seen someone mentioned this issue, so is this because of my log? My log is the XML WinEventLog like this:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{68ad733a-0b7e-4010-a246-bad643c2e4c1}' /> <EventID>4688</EventID> <Version>2</Version> <Level>0</Level> <Task>13312</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2025-05-30T10:55:19.179279400Z' /> <EventRecordID>25849216</EventRecordID> <Correlation /> <Execution ProcessID='4' ThreadID='7780' /> <Channel>Security</Channel> <Computer>ABCD-DE01.company.domain</Computer> <Security /> </System> <EventData> <Data Name='SubjectUserSid'>S-1-5-18</Data> <Data Name='SubjectUserName'>ABCD-DE01$</Data> <Data Name='SubjectDomainName'>COMPANY.DOMAIN</Data> <Data Name='SubjectLogonId'>0x3e7</Data> <Data Name='NewProcessId'>0x1c48</Data> <Data Name='NewProcessName'>C:\Windows\System32\net1.exe</Data> <Data Name='TokenElevationType'>%%1936</Data> <Data Name='ProcessId'>0x2a2c</Data> <Data Name='CommandLine'>C:\Windows\system32\net1 accounts</Data> <Data Name='TargetUserSid'>S-1-0-0</Data> <Data Name='TargetUserName'>-</Data> <Data Name='TargetDomainName'>-</Data> <Data Name='TargetLogonId'>0x0</Data> <Data Name='ParentProcessName'>C:\Windows\System32\net.exe</Data> <Data Name='MandatoryLabel'>S-1-16-16384</Data> </EventData> </Event>

The result of this is that the functions called below, using EventCode, cannot match the EventCode, like this one:

EVAL-process_name = if(EventCode=4688, New_Process_Name, Process_Name)

Re: Duplicate EventCode when using Splunk Add-on for Windows

gcusello — Fri, 30 May 2025 15:41:31 GMT

Hi @Na_Kang_Lim ,

I hadn't noticed the problem, but in any case, since it's an add-on maintained by Splunk, open a case with Splunk Support.

Ciao.

Giuseppe

Re: Duplicate EventCode when using Splunk Add-on for Windows

pscookiemonster — Mon, 23 Jun 2025 16:04:32 GMT

Just posting to confirm this, though I've never written in.

Running into it now as generating a summary index is changing the value type to AFAICT a string, meaning the previous value of 5136, 5136, which is searchable via EventCode=5136, is now broken in the summary index, where the value is now something like "5136\n5136" which... is not helpful at all.

Re: Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim — Tue, 01 Jul 2025 10:48:57 GMT

Can you describe in more details your situation, and had you any solution?

Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index

And strangely enough, this only happen to our "XmlWinEventLog:Security" log, others like "XmlWinEventLog:Application" or "XmlWinEventLog:DNS Server" got their EventCode normal - as single values!

Re: Duplicate EventCode when using Splunk Add-on for Windows

PickleRick — Tue, 01 Jul 2025 12:32:28 GMT

Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value.

Re: Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim — Tue, 01 Jul 2025 13:11:33 GMT

Can you tell me where to check if I have indexed extractions enabled?

I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe

4624 4624

but the EventID is just 4624. And like I mentioned in the comments below, this only happen to my "XmlWinEventLog:Security" and "XmlWinEventLog:DNS Server", does not affect other XmlWinEventLog like Application and System. Which from my perspective, is really strange!

Re: Duplicate EventCode when using Splunk Add-on for Windows

PickleRick — Tue, 01 Jul 2025 13:30:12 GMT

I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for

index=your_windows_index EventID::4624

The important thing is that you're not looking for

EventID=4624

but for

EventID::4624

If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time.

Re: Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim — Thu, 17 Jul 2025 08:07:09 GMT

Hi everyone,

The OP is here.

My problem has been solved.

The cause was that one of our admins, mistakenly create another EXTRACT- clause for EventID in another app.

So here is my advice if you ever get into similar situation:

1. Find whether the field is being affected, is created with index-time extraction or search-time extraction. You check this either using the `::` operator, or in the props.conf and transforms.conf file (REPORT- and EXTRACT- are search time, which happen on search head; and TRANSFORMS- is index-time which happen on Indexers). Look into how it is extracted!

2. Then grep the field name in the apps directory (or slave-apps, master-apps - depend on your scope and set up), look into all the functions that affected the field in props.conf and transforms.conf

Re: Duplicate EventCode when using Splunk Add-on for Windows

gcusello — Thu, 17 Jul 2025 08:11:09 GMT

Hi @Na_Kang_Lim ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉