In this app, is there a way to get the event log data to extract the fields just like the normal Splunk Universal Forwarder with Splunk_TA_windows? Right now description is just one large field.
Are you looking mainly at the Description field for extraction? There is a RawXml field as well, but most of that data is already in the JSON event. Either way, "yes" it is possible. The Description field will have some specifics in it that we can get similar to the Windows TA.
Yes, mainly the description field, or extracting from the rawXML. Right now gathering the logs without the extraction is useless for CIM and ES environments.
Also In the Azure app it has a lot extra volume for the JSON and XML. For example with the windows_TA in an EventCode 4624 we truncate the pain text description that repeats the same info as the top table. In our case we get a 2.25KB event down to 986B. In the Azure version uncut its 4.31KB per event. Windows security logs can be a massive sourcetype and every byte matters when we are talking about Splunk licensing.