All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim
Path Finder
‎05-30-2025 08:38 AM

Splunk Add-on for Windows is well-known and I am using it to parse my XmlWinEventLog. However, upon using, I am getting EventCode as a duplicated codes in multiline, like this:

4688
4688

I think I could find the reason, as in the transforms.conf, there are 2 function for detecting EventCode:

[EventID_as_EventCode]
SOURCE_KEY = EventID
REGEX = (.+)
FORMAT = EventCode::$1

[EventID2_as_EventCode]
REGEX = <EventID.*?>(.+?)<\/EventID>.*
FORMAT = EventCode::$1

And in the props.conf, both function is called:

REPORT-EventCode_from_xml = EventID_as_EventCode, EventID2_as_EventCode

However, I have never seen someone mentioned this issue, so is this because of my log? My log is the XML WinEventLog like this:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing'
            Guid='{68ad733a-0b7e-4010-a246-bad643c2e4c1}' />
        <EventID>4688</EventID>
        <Version>2</Version>
        <Level>0</Level>
        <Task>13312</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime='2025-05-30T10:55:19.179279400Z' />
        <EventRecordID>25849216</EventRecordID>
        <Correlation />
        <Execution ProcessID='4' ThreadID='7780' />
        <Channel>Security</Channel>
        <Computer>ABCD-DE01.company.domain</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name='SubjectUserSid'>S-1-5-18</Data>
        <Data Name='SubjectUserName'>ABCD-DE01$</Data>
        <Data Name='SubjectDomainName'>COMPANY.DOMAIN</Data>
        <Data Name='SubjectLogonId'>0x3e7</Data>
        <Data Name='NewProcessId'>0x1c48</Data>
        <Data Name='NewProcessName'>C:\Windows\System32\net1.exe</Data>
        <Data Name='TokenElevationType'>%%1936</Data>
        <Data Name='ProcessId'>0x2a2c</Data>
        <Data Name='CommandLine'>C:\Windows\system32\net1 accounts</Data>
        <Data Name='TargetUserSid'>S-1-0-0</Data>
        <Data Name='TargetUserName'>-</Data>
        <Data Name='TargetDomainName'>-</Data>
        <Data Name='TargetLogonId'>0x0</Data>
        <Data Name='ParentProcessName'>C:\Windows\System32\net.exe</Data>
        <Data Name='MandatoryLabel'>S-1-16-16384</Data>
    </EventData>
</Event>

 The result of this is that the functions called below, using EventCode, cannot match the EventCode, like this one:

EVAL-process_name = if(EventCode=4688, New_Process_Name, Process_Name)
Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Na_Kang_Lim
Path Finder
yesterday

Hi everyone,

The OP is here.

My problem has been solved. 

The cause was that one of our admins, mistakenly create another EXTRACT- clause for EventID in another app.

So here is my advice if you ever get into similar situation:

1. Find whether the field is being affected, is created with index-time extraction or search-time extraction. You check this either using the `::` operator, or in the props.conf and transforms.conf file (REPORT- and EXTRACT- are search time, which happen on search head; and TRANSFORMS- is index-time which happen on Indexers). Look into how it is extracted!

2. Then grep the field name in the apps directory (or slave-apps, master-apps - depend on your scope and set up), look into all the functions that affected the field in props.conf and transforms.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Na_Kang_Lim
Path Finder
yesterday

Hi everyone,

The OP is here.

My problem has been solved. 

The cause was that one of our admins, mistakenly create another EXTRACT- clause for EventID in another app.

So here is my advice if you ever get into similar situation:

1. Find whether the field is being affected, is created with index-time extraction or search-time extraction. You check this either using the `::` operator, or in the props.conf and transforms.conf file (REPORT- and EXTRACT- are search time, which happen on search head; and TRANSFORMS- is index-time which happen on Indexers). Look into how it is extracted!

2. Then grep the field name in the apps directory (or slave-apps, master-apps - depend on your scope and set up), look into all the functions that affected the field in props.conf and transforms.conf

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
yesterday

Hi @Na_Kang_Lim ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value.

0 Karma
Reply
Solved! Jump to solution

Na_Kang_Lim
Path Finder
2 weeks ago

Can you tell me where to check if I have indexed extractions enabled?

I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe

4624
4624

but the EventID is just 4624. And like I mentioned in the comments below, this only happen to my "XmlWinEventLog:Security" and "XmlWinEventLog:DNS Server",  does not affect other XmlWinEventLog like Application and System. Which from my perspective, is really strange!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for

index=your_windows_index EventID::4624

The important thing is that you're not looking for 

EventID=4624

but for 

EventID::4624

If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time.

0 Karma
Reply
Solved! Jump to solution

pscookiemonster
Explorer
4 weeks ago

Just posting to confirm this, though I've never written in.

Running into it now as generating a summary index is changing the value type to AFAICT a string, meaning the previous value of 5136, 5136, which is searchable via EventCode=5136, is now broken in the summary index, where the value is now something like "5136\n5136" which... is not helpful at all.

0 Karma
Reply
Solved! Jump to solution

Na_Kang_Lim
Path Finder
2 weeks ago

Can you describe in more details your situation, and had you any solution?

Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index

And strangely enough, this only happen to our "XmlWinEventLog:Security" log, others like "XmlWinEventLog:Application" or "XmlWinEventLog:DNS Server" got their EventCode normal - as single values!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2025 08:41 AM

Hi @Na_Kang_Lim ,

I hadn't noticed the problem, but in any case, since it's an add-on maintained by Splunk, open a case with Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...