All Apps and Add-ons

Splunk Add-On for Microsoft Sysmon: Is XML preferred or recommended?

bobsim
New Member

Questions in the inputs.conf

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = true
renderXml = 1

I see the default is to disable XML however there are vague references to XM in the doc.   I saw it source types it to XML in the next line.

source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Are both types possible and is XML preferred or recommended?  I was looking for some advice and didn't see any in the doc. 

Thank you.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...