All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting error message in CSV header field and not date (Splunk_TA_windows v8.2.0)

cboillot
Contributor
‎02-03-2022 07:19 AM

When running a search for"EventCode=35" OR "EventCode=36" OR "EventCode=37" OR "EventCode=38" source="WinEventLog:System" and then exporting that to a CVS file, column N through BN has the following message as its column header, where <workstation> is the workstation name:

If_this_is_the_first_occurrence_of_this_event_for_the_specified_computer_and_account__this_may_be_a_transient_issue_that_doesn_t_require_any_action_at_this_time___If_this_is_a_Read_Only_Domain_Controller_and__<workstation>___is_a_legitimate_machine_account_for_the_computer__<workstation>__then__<workstation>__should_be_marked_cacheable_for_this_location_if_appropriate_or_otherwise_ensure_connectivity_to_a_domain_controller__capable_of_servicing_the_request__for_example_a_writable_domain_controller____Otherwise__the_following_steps_may_be_taken_to_resolve_this_problem

I am told by the AD team that at leaset Column N should  be a date. Starting at column CC and going through EC, I am seeing this as the header:

Otherwise__assuming_that__<workstation>___is_not_a_legitimate_account__the_following_action_should_be_taken_on__<workstation>_

These headers are no where to be found when the search brings back data. they only show up when exporting to CSV. 

Anyone have any idea what is going on?

______

Edited to add: I also want to point out this only happen when searching in Smart or Verbose Mode.  it does not happen in Fast mode.

Labels (1)
Labels
0 Karma
Reply

b_tamu
Loves-to-Learn
‎02-03-2022 08:36 AM

You probably want to change you search into:

index = ad_6mths EventCode="35" OR EventCode="36" OR EventCode="37" OR EventCode="38" source="WinEventLog:System" NOT SourceName="Microsoft-Windows-Time-Service"

Followed by a few NOT <useraccounts>

See my result below where N column is _time (Date):

b_tamu_0-1643906173668.png

 

0 Karma
Reply

cboillot
Contributor
‎02-03-2022 09:16 AM

I also want to point out this only happen when searching in Smart or Verbose Mode.  it does not happen in Fast mode.

0 Karma
Reply

cboillot
Contributor
‎02-03-2022 09:07 AM

I did make those changes, but still getting the same thing.

 

cboillot_0-1643908048057.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-03-2022 07:27 AM

The column order in CSV export depends on the fields of the included events. Therefore your N column might be a completely different thing than my N column (in case of my home windows events export I just did for testing, the N column is "Client_Domain").

But in general - download the CSV and open it in a text editor. Your first row should contain column headers (field names) and the text you pasted seems like field content so either something is wrong with opening the file or it is indeed generated wrongly - open and see.

And it shouldn't have anything to do with Windows TA - CSV export is just export of results. If it's working OK in the WebUI, it should be exported properly.

0 Karma
Reply

b_tamu
Loves-to-Learn
‎02-03-2022 07:26 AM

Can you share your Splunk search?

0 Karma
Reply

cboillot
Contributor
‎02-03-2022 08:17 AM

index = ad_6mths "EventCode=35" OR "EventCode=36" OR "EventCode=37" OR "EventCode=38" source="WinEventLog:System" NOT "SourceName=Microsoft-Windows-Time-Service"

Followed by a few NOT <useraccounts>

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...