All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sysmon Add-on - lookup eventcode not processed correctly

corti77
Contributor
‎11-20-2023 04:16 AM

hi,

I have splunk 9.0.6 and sysmon add-on 3.1.0. 

The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.

corti77_0-1700482421026.png

 

But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode".

corti77_1-1700482459755.png

 

Searching for this "eventcode" lookup, it belongs to the app Defender.

corti77_2-1700482545604.png

 

Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup".

corti77_0-1700482896017.png

 

Do you have any idea what might be happening?

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...