All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Duplicate EventCode when using Splunk Add-on for Windows

Na_Kang_Lim
Path Finder
‎05-30-2025 08:38 AM

Splunk Add-on for Windows is well-known and I am using it to parse my XmlWinEventLog. However, upon using, I am getting EventCode as a duplicated codes in multiline, like this:

4688
4688

I think I could find the reason, as in the transforms.conf, there are 2 function for detecting EventCode:

[EventID_as_EventCode]
SOURCE_KEY = EventID
REGEX = (.+)
FORMAT = EventCode::$1

[EventID2_as_EventCode]
REGEX = <EventID.*?>(.+?)<\/EventID>.*
FORMAT = EventCode::$1

And in the props.conf, both function is called:

REPORT-EventCode_from_xml = EventID_as_EventCode, EventID2_as_EventCode

However, I have never seen someone mentioned this issue, so is this because of my log? My log is the XML WinEventLog like this:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing'
            Guid='{68ad733a-0b7e-4010-a246-bad643c2e4c1}' />
        <EventID>4688</EventID>
        <Version>2</Version>
        <Level>0</Level>
        <Task>13312</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime='2025-05-30T10:55:19.179279400Z' />
        <EventRecordID>25849216</EventRecordID>
        <Correlation />
        <Execution ProcessID='4' ThreadID='7780' />
        <Channel>Security</Channel>
        <Computer>ABCD-DE01.company.domain</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name='SubjectUserSid'>S-1-5-18</Data>
        <Data Name='SubjectUserName'>ABCD-DE01$</Data>
        <Data Name='SubjectDomainName'>COMPANY.DOMAIN</Data>
        <Data Name='SubjectLogonId'>0x3e7</Data>
        <Data Name='NewProcessId'>0x1c48</Data>
        <Data Name='NewProcessName'>C:\Windows\System32\net1.exe</Data>
        <Data Name='TokenElevationType'>%%1936</Data>
        <Data Name='ProcessId'>0x2a2c</Data>
        <Data Name='CommandLine'>C:\Windows\system32\net1 accounts</Data>
        <Data Name='TargetUserSid'>S-1-0-0</Data>
        <Data Name='TargetUserName'>-</Data>
        <Data Name='TargetDomainName'>-</Data>
        <Data Name='TargetLogonId'>0x0</Data>
        <Data Name='ParentProcessName'>C:\Windows\System32\net.exe</Data>
        <Data Name='MandatoryLabel'>S-1-16-16384</Data>
    </EventData>
</Event>

 The result of this is that the functions called below, using EventCode, cannot match the EventCode, like this one:

EVAL-process_name = if(EventCode=4688, New_Process_Name, Process_Name)
Labels (3)
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value.

0 Karma
Reply

Na_Kang_Lim
Path Finder
2 weeks ago

Can you tell me where to check if I have indexed extractions enabled?

I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe

4624
4624

but the EventID is just 4624. And like I mentioned in the comments below, this only happen to my "XmlWinEventLog:Security" and "XmlWinEventLog:DNS Server",  does not affect other XmlWinEventLog like Application and System. Which from my perspective, is really strange!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for

index=your_windows_index EventID::4624

The important thing is that you're not looking for 

EventID=4624

but for 

EventID::4624

If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time.

0 Karma
Reply

pscookiemonster
Explorer
3 weeks ago

Just posting to confirm this, though I've never written in.

Running into it now as generating a summary index is changing the value type to AFAICT a string, meaning the previous value of 5136, 5136, which is searchable via EventCode=5136, is now broken in the summary index, where the value is now something like "5136\n5136" which... is not helpful at all.

0 Karma
Reply

Na_Kang_Lim
Path Finder
2 weeks ago

Can you describe in more details your situation, and had you any solution?

Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index

And strangely enough, this only happen to our "XmlWinEventLog:Security" log, others like "XmlWinEventLog:Application" or "XmlWinEventLog:DNS Server" got their EventCode normal - as single values!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2025 08:41 AM

Hi @Na_Kang_Lim ,

I hadn't noticed the problem, but in any case, since it's an add-on maintained by Splunk, open a case with Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top