All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-On for Windows Event Cleanup- What is happening to my data?

mcfabrero_acn
Explorer
‎04-03-2023 03:23 AM

Hi All,

I am currently working on ingesting WinEventLog:Security data and noticed that the event has been cleaned up even though I didn't configure the SEDCMD extractions in my props configuration. Please note that the props.conf in my local folder is exactly the same copy of the props.conf in my default folder.

mcfabrero_acn_1-1680516872015.png

I am looking specifically at the certificate information and would like it to be seen in my data in Splunk

mcfabrero_acn_0-1680516618687.png

This is what it looks like in Splunk:

mcfabrero_acn_2-1680517101964.png

I expect to also have the same data as what I have in my source

mcfabrero_acn_3-1680517151508.png

Any idea what happened and how can I troubleshoot to determine what's causing this to my data?

Your help is greatly appreciated.

Thanks in advance!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mcfabrero_acn
Explorer
‎04-10-2023 11:18 PM

We have the configurations in the deployment server which I wasn't able to use btool command but I was able to figure out what causes the missing text/lines. Apparently, there are other Windows TA folders configured and  I got to see where the SEDCMD extractions were enabled. I checked the source type configurations in our SH Cloud and found that the extractions were renamed differently instead of having the default 

     SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g

it was renamed to SEDCMD-clean2 s/Certificate information is only[\S\s\r\n]+$//g.

Appreciate your response! 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mcfabrero_acn
Explorer
‎04-10-2023 11:18 PM

We have the configurations in the deployment server which I wasn't able to use btool command but I was able to figure out what causes the missing text/lines. Apparently, there are other Windows TA folders configured and  I got to see where the SEDCMD extractions were enabled. I checked the source type configurations in our SH Cloud and found that the extractions were renamed differently instead of having the default 

     SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g

it was renamed to SEDCMD-clean2 s/Certificate information is only[\S\s\r\n]+$//g.

Appreciate your response! 🙂

0 Karma
Reply
Solved! Jump to solution

PaulPanther
Motivator
‎04-05-2023 05:51 AM

Have you verified with btool that the shown props.conf  setting are applied?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top