https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/660088#M227870 <P><SPAN>Thank you very much for this suggestion.</SPAN></P> Sun, 08 Oct 2023 04:35:00 GMT quangnm21 2023-10-08T04:35:00Z https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/659994#M227842 <P>Hello everyone. I'm currently working on a lab assignment and I'm having trouble understanding the meaning of two specific fields in PowerShell log hunting. Could someone please explain these two fields to me? I would greatly appreciate it. Thank you.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="quangnm21_0-1696604173479.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27486i336C8E3E81FF1481/image-size/medium?v=v2&amp;px=400" role="button" title="quangnm21_0-1696604173479.png" alt="quangnm21_0-1696604173479.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="quangnm21_1-1696604205140.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27487iFFD98B94030DB25C/image-size/medium?v=v2&amp;px=400" role="button" title="quangnm21_1-1696604205140.png" alt="quangnm21_1-1696604205140.png" /></span></P><P>&nbsp;</P> Fri, 06 Oct 2023 14:58:40 GMT https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/659994#M227842 quangnm21 2023-10-06T14:58:40Z https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/660005#M227844 <P>I don't know PowerShell logs...but in a situation like this I would set the Selected to Yes for the fields you're trying to figure out.&nbsp; Based on your screen shots, those fields appear for 100% of your events.&nbsp; When you set that to Yes, you will see the field &amp; value appear with each event in your results.&nbsp; Then you can try and match up what the value is with the text that's there in the event.<BR /><BR />But - also keep in mind there could be calculated events, too.&nbsp; For example, MessageTotal might be the # of bytes in the event, and won't actually appear within the data.&nbsp; Having them displayed with each event will help you deduce what they might represent, though - if MessageTotal was 1 for a whole bunch of 1-byte events, then you know your answer.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="selected_yes.png" style="width: 853px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27488iE41D7D07521B5AB0/image-size/large?v=v2&amp;px=999" role="button" title="selected_yes.png" alt="selected_yes.png" /></span></P> Fri, 06 Oct 2023 16:07:31 GMT https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/660005#M227844 _JP 2023-10-06T16:07:31Z https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/660088#M227870 <P><SPAN>Thank you very much for this suggestion.</SPAN></P> Sun, 08 Oct 2023 04:35:00 GMT https://community.splunk.com/t5/Splunk-Search/Analyzing-PowerShell-logs-in-Splunk/m-p/660088#M227870 quangnm21 2023-10-08T04:35:00Z