Splunk Add-on for Windows is well-known and I am using it to parse my XmlWinEventLog. However, upon using, I am getting EventCode as a duplicated codes in multiline, like this:
4688
4688
I think I could find the reason, as in the transforms.conf, there are 2 function for detecting EventCode:
[EventID_as_EventCode]
SOURCE_KEY = EventID
REGEX = (.+)
FORMAT = EventCode::$1
[EventID2_as_EventCode]
REGEX = <EventID.*?>(.+?)<\/EventID>.*
FORMAT = EventCode::$1
And in the props.conf, both function is called:
REPORT-EventCode_from_xml = EventID_as_EventCode, EventID2_as_EventCode
However, I have never seen someone mentioned this issue, so is this because of my log? My log is the XML WinEventLog like this:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{68ad733a-0b7e-4010-a246-bad643c2e4c1}' />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime='2025-05-30T10:55:19.179279400Z' />
<EventRecordID>25849216</EventRecordID>
<Correlation />
<Execution ProcessID='4' ThreadID='7780' />
<Channel>Security</Channel>
<Computer>ABCD-DE01.company.domain</Computer>
<Security />
</System>
<EventData>
<Data Name='SubjectUserSid'>S-1-5-18</Data>
<Data Name='SubjectUserName'>ABCD-DE01$</Data>
<Data Name='SubjectDomainName'>COMPANY.DOMAIN</Data>
<Data Name='SubjectLogonId'>0x3e7</Data>
<Data Name='NewProcessId'>0x1c48</Data>
<Data Name='NewProcessName'>C:\Windows\System32\net1.exe</Data>
<Data Name='TokenElevationType'>%%1936</Data>
<Data Name='ProcessId'>0x2a2c</Data>
<Data Name='CommandLine'>C:\Windows\system32\net1 accounts</Data>
<Data Name='TargetUserSid'>S-1-0-0</Data>
<Data Name='TargetUserName'>-</Data>
<Data Name='TargetDomainName'>-</Data>
<Data Name='TargetLogonId'>0x0</Data>
<Data Name='ParentProcessName'>C:\Windows\System32\net.exe</Data>
<Data Name='MandatoryLabel'>S-1-16-16384</Data>
</EventData>
</Event>
The result of this is that the functions called below, using EventCode, cannot match the EventCode, like this one:
EVAL-process_name = if(EventCode=4688, New_Process_Name, Process_Name)
Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value.
Can you tell me where to check if I have indexed extractions enabled?
I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe
4624
4624
but the EventID is just 4624. And like I mentioned in the comments below, this only happen to my "XmlWinEventLog:Security" and "XmlWinEventLog:DNS Server", does not affect other XmlWinEventLog like Application and System. Which from my perspective, is really strange!
I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for
index=your_windows_index EventID::4624
The important thing is that you're not looking for
EventID=4624
but for
EventID::4624
If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time.
Just posting to confirm this, though I've never written in.
Running into it now as generating a summary index is changing the value type to AFAICT a string, meaning the previous value of 5136, 5136, which is searchable via EventCode=5136, is now broken in the summary index, where the value is now something like "5136\n5136" which... is not helpful at all.
Can you describe in more details your situation, and had you any solution?
Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index
And strangely enough, this only happen to our "XmlWinEventLog:Security" log, others like "XmlWinEventLog:Application" or "XmlWinEventLog:DNS Server" got their EventCode normal - as single values!
Hi @Na_Kang_Lim ,
I hadn't noticed the problem, but in any case, since it's an add-on maintained by Splunk, open a case with Splunk Support.
Ciao.
Giuseppe