All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

The EventCode lookups in the Splunk App for Windows Infrastructure return incorrect values

Ranazar
Path Finder
‎10-07-2017 07:52 AM

The Splunk App for Windows Infrastructure has the windows_signatures.csv lookup file:

signature_id,signature,CategoryString,action,result
512,"Windows NT is starting up",,,
...
1104,"The security Log is now full",,,

And then the lookup itself:

## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject

So here's the problem. I have an event coming from SharePoint with event code 1104:

LogName=Application
SourceName=Microsoft-SharePoint Products-PerformancePoint Service
EventCode=1104

And the lookup matches it - based on it being event code 1104 - to the message "The security Log is now full".

That's wrong - and pretty alarming. It looks like the lookup file is just for events from the Security log, yet the lookup is ignoring the log name, so event code 1104 becomes a full security log regardless of the log name (let alone the source name).

I'm still new with Splunk, so it's possible that I've effed something up to get this result. Has anyone else noticed this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-08-2017 05:54 AM

What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.

If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-08-2017 05:54 AM

What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.

If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

Ranazar
Path Finder
‎10-08-2017 10:12 AM

The SharePoint message is coming from the event logs as well - from the Application log as opposed to the Security log.

So it's all event log messages.

It seems like the app assumes that an event ID number is unique to one message across the event viewer. If that's the thinking, then it's definitely wrong - as this example shows.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-08-2017 04:56 PM

Tweaking the automatic lookup will resolve the issue, but I completely agree with you here.
I've logged a support case or two on this app as well, I believe I have an enhancement request open as some event codes have multiple meanings depending on the description.

Perhaps you can log a support case on this so it goes back to the app support team?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

Ranazar
Path Finder
‎10-10-2017 12:25 PM

Thanks - I wasn't sure if it was something I had screwed up. I'll poke them with a support case and see what happens.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...