All Apps and Add-ons

Is there a template for the advanced configuration options of Splunk Add-on for Microsoft Windows?

Ultra Champion

I want to reduce index volume by taking advantage of the advanced configuration options to remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events by using SEDCMD as introduced in the Configure props.conf section of Configure the Splunk Add-on for Windows documentation.

To reduce human error and reinventing the wheel, would anyone who created this be willing to share that part of their configuration file?

1 Solution

Ultra Champion

The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.

View solution in original post

Ultra Champion

The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.

View solution in original post

Ultra Champion

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Absolutely! Here's just those sections. Notice that the explanations still live in the Splunk_TA_windows/default/props.conf so read there to better understand what you're doing.

Make sure you append this to (or create) a Splunk_TA_windows/local/props.conf:

## Explanations available within default/props.conf. See https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/ConfigurationConfigure_props.conf
[source::WinEventLog:System]
    SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

[source::WinEventLog:Security]
    SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
    SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
    SEDCMD-cleansrcip = s/(Source Network Address:  (\:\:1|127\.0\.0\.1))/Source Network Address:/
    SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g

    #For XmlWinEventLog:Security
    SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
    SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/

[source::WinEventLog:ForwardedEvents]
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
    SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
    SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//

[WMI:WinEventLog:System]
    SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

[WMI:WinEventLog:Security]
    SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
    SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
    SEDCMD-cleansrcip = s/(Source Network Address:  (\:\:1|127\.0\.0\.1))/Source Network Address:/
    SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
    SEDCMD-remove_ffff = s/::ffff://g
    SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
    SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g

Finally, it's important to recognize that SEDCMD usage causes an indexer increase processing of the data. As a result, there will be a related uptick in resource usage and processing time for each event which, over a large enough volume of affected data, could produce a 'latency' or slight delay in time from receiving and writing events.
Fortunately, this is easily mitigated by a healthy scaling of indexers and an even distribution of events from the forwarders to indexers. Ultimately, these SEDCMDs produce a strong improvement in search performance. This performance improvement easily outweighs the additional indexer processing.