All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Why is WinEventLog:Security EventCodeDescription data missing?

OldManEd
Builder

I just loaded the Splunk Windows Universal Forwarder 6.3 on a Windows box and ran the following search:

index=<index name> sourcetype="WinEventLog:Security" | stats sparkline count by EventCode, EventCodeDescription

I received the message, "No Results Found".

I then altered the search to the following:

    index=<index name> sourcetype="WinEventLog:Security"

I did get results. I looked under "fields" and did not see eventcodedescription. I have searches that run on a Splunk 4.5 instance collecting data from older Windows boxes, and everything is fine. Has anyone seen this before? Is the problem with Splunk 6.3 Forwarder/Indexers, or with the Windows boxes themselves? I did install "Splunk_TA_Windows" on everything, (Search Head/Deployment Server/Indexers/Forwarders), to parse the Windows log data, but I'm still not seeing the entry.

Any ideas?

0 Karma
1 Solution

OldManEd
Builder

OK, I found it. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

"4673"        "A privileged service was called"
"5058"        "Key file operation"
"4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

pappjr
Path Finder

As of Splunk_TA_windows 4.82 (released on 2/29/2016) it looks like EventCodeDescription has been renamed to 'signature'. This appears to be generated by an automatic lookup that should provide you the descriptions you're looking for right out of the box.

OldManEd
Builder

Hey pappjr, thanks for the update. I just ran a test search and it appears that the fields "name" and "signature" give me the same results in 6.3.0. It's all good.

0 Karma

OldManEd
Builder

OK, I found it. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

"4673"        "A privileged service was called"
"5058"        "Key file operation"
"4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

woodcock
Esteemed Legend

Your forwarders are probably are using suppress_text=true. Read about it here:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsdata

0 Karma

OldManEd
Builder

Woodcock,
From what I read, the default for "suppress_text" is false. But, just to be sure, I made an entry in the inputs.conf file to force it to false, "supress_text = 0", but nothing changed. I still don't see any data or even a field called "EventCodeDescription" in the 6.3 instance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...