All Apps and Add-ons

Windows Powershell Transcription: Parsing events

henryyam
Explorer

How are people parsing the powershell transcriptions files which have a large amount of command executions within the file?

For those not familiar, Powershell Transcription will create a log file once a user starts their powershell transaction.
It will log the users name at the top of the file and will not close the file until the command is closed.

In some cases we have a MMC running open all week and this can produce 100's of commands within the powershell transaction file.
Unfortunately, it only logs the user name who initially executed the command at the start at the launch of the process. The subsequent entries just show the command and output.

How do you associate the users name with each of these commands if you want to keep them as separate events?
Or are you just bundling all of those commands into one event?

Or has someone found a way to associate the username to each command?

Windows PowerShell transcript start

Start time: 20190216091018
Username: XYZ
RunAs User: ABC
Configuration Name: 
Machine: HOSTNAME 
Host Application: C:\WINDOWS\system32\mmc.exe 
Process ID: 1111
PSVersion: 5.1.111
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.590
BuildVersion: 10.0.17134
CLRVersion: 4.0.30319
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.

Command start time: 20190216091032

PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"

Command start time: 20190216091031

PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"

Command start time: 20190216091032

PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"

Command start time: 20190216091034

PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"

Command start time: 20190216091037

PS>CommandInvocation(Get-ConfigInstalledDBVersion): "Get-ConfigInstalledDBVersion"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="AdminAddress"; value="xyz.com:80"
>> ParameterBinding(Get-ConfigInstalledDBVersion): name="Upgrade"; value="True"
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...