https://community.splunk.com/t5/Getting-Data-In/Help-with-Extracting-WinEventLog-Fields/m-p/504201#M85963 <P>Hi Splunkers,</P><P>Has anyone seen this or something similar?&nbsp; We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF.&nbsp; Due to the logging system format, Splunk is not parsing the fields automatically.&nbsp;</P><P>Here is a sample event:</P><P>&nbsp;</P><LI-CODE lang="markup">Jun 11 12:00:08 LOGGING-SERVER.domain.com 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: WINSVR001-V$ Account Domain: AD Logon ID: 0x3e4 Logon Type: 8 New Logon: Security ID: S-1-5-21-503695880-123456789-3595387526-4510 Account Name: jdoe Account Domain: AD Logon ID: 0x139c67d30 Logon GUID: {F325D620-6114-0657-01BF-F25C4AD21656} Process Information: Process ID: 0x3f8 Process Name: D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe Network Information: Workstation Name: WINSVR001-V Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>We are using Splunk Add-on for Microsoft Windows 8.0.&nbsp; Is it possible to modify the existing conf files to have the fields parsed?&nbsp; Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event.</P><P>If you're up to the challenge, I'm looking for:</P><P>-Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format?</P><P>-Can some help me with the regex to parse all the wineventlog fields and values?</P><P>&nbsp;</P><P>I appreciate the help in advance.</P><P>&nbsp;</P><P>Thanks,</P><P>H</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Jun 2020 16:33:15 GMT hfernandez_ 2020-06-12T16:33:15Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Extracting-WinEventLog-Fields/m-p/504201#M85963 <P>Hi Splunkers,</P><P>Has anyone seen this or something similar?&nbsp; We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF.&nbsp; Due to the logging system format, Splunk is not parsing the fields automatically.&nbsp;</P><P>Here is a sample event:</P><P>&nbsp;</P><LI-CODE lang="markup">Jun 11 12:00:08 LOGGING-SERVER.domain.com 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: WINSVR001-V$ Account Domain: AD Logon ID: 0x3e4 Logon Type: 8 New Logon: Security ID: S-1-5-21-503695880-123456789-3595387526-4510 Account Name: jdoe Account Domain: AD Logon ID: 0x139c67d30 Logon GUID: {F325D620-6114-0657-01BF-F25C4AD21656} Process Information: Process ID: 0x3f8 Process Name: D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe Network Information: Workstation Name: WINSVR001-V Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>We are using Splunk Add-on for Microsoft Windows 8.0.&nbsp; Is it possible to modify the existing conf files to have the fields parsed?&nbsp; Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event.</P><P>If you're up to the challenge, I'm looking for:</P><P>-Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format?</P><P>-Can some help me with the regex to parse all the wineventlog fields and values?</P><P>&nbsp;</P><P>I appreciate the help in advance.</P><P>&nbsp;</P><P>Thanks,</P><P>H</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Jun 2020 16:33:15 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Extracting-WinEventLog-Fields/m-p/504201#M85963 hfernandez_ 2020-06-12T16:33:15Z