All Apps and Add-ons

Is there a way to get the Splunk Add-on for Microsoft Azure to parse and extract fields from WADWindowsEventLogsTable?

kmanson
Path Finder

In this app, is there a way to get the event log data to extract the fields just like the normal Splunk Universal Forwarder with Splunk_TA_windows? Right now description is just one large field.

0 Karma

jconger
Splunk Employee
Splunk Employee

Are you looking mainly at the Description field for extraction? There is a RawXml field as well, but most of that data is already in the JSON event. Either way, "yes" it is possible. The Description field will have some specifics in it that we can get similar to the Windows TA.

0 Karma

kmanson
Path Finder

Yes, mainly the description field, or extracting from the rawXML. Right now gathering the logs without the extraction is useless for CIM and ES environments.
Also In the Azure app it has a lot extra volume for the JSON and XML. For example with the windows_TA in an EventCode 4624 we truncate the pain text description that repeats the same info as the top table. In our case we get a 2.25KB event down to 986B. In the Azure version uncut its 4.31KB per event. Windows security logs can be a massive sourcetype and every byte matters when we are talking about Splunk licensing.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...