All Apps and Add-ons

Windows event log fields are not extracted properly

sh_tavousi
Explorer

In some instances,  Windows event log fields are not extracted properly but in others they are extracted properly.

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

this is the problem: field extractions are usually related to sourcetype, if you have a different sourcetype, surely you haven't the same extractions.

So you have two ways to solve the problem:

  • override the sourcetype value,
  • duplicate windows extraction for xmlwineventlog.

the first solution is easier: you have to change the sourcetype assign in input or add an overriding on Indexers or (when present) on Heavy Forwarders (for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Advancedsourcetypeoverrides ).

If you want to maintain a different sourcetype, you have to create all the extractions you need using regexes.

Ciao.

Giuseppe

 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

could you describe better your need?

  • what do you mean with instances?
  • are you using the Splunk_TA_Windows?
  • which fields aren't extracted properly?

Ciao.

Giuseppe

0 Karma

sh_tavousi
Explorer

Hi

When I search source="wineventlog:security" or "wineventlog:system" in some hosts in search head, results are not extracted. They are raw but others are extracted properly. I have installed UF on hosts and also I have used  Splunk_TA_Windows.

I've looked at a lot of conf files and no luck as of yet.

Shohre

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

did you installed Splunk_TA_windows only on Forwarders or also on Search Heads?

Which fields aren't recognized?

Did you run the searches always in Verbose Mode?

Ciao.

Giuseppe

0 Karma

sh_tavousi
Explorer

Hi

Yes, I installed Splunk_TA_windows  on Forwarders and on Search Heads.

In WinEventLog  :security and WinEventLog:system,  all fields are not extracted like Event Code, Event ID, Account Name and ... . However other hosts do not have any problems and I have all field extracted.

I do not run searches  in Verbose Mode. My search is " index=main source=WinEventLog  :security" and then results in some hosts are not extracted.

Shohre

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

it's a very strange behavior!

please some last checks:

  • logs recognized and not recognized are in the same language? I had some problem having logs from some server in Italian instead of English.
  • sourcetype is the same in both logs?

Ciao.

Giuseppe

0 Karma

sh_tavousi
Explorer

Hi Giuseppe,

Yes, logs recognized and not recognized are in the same language.

Sourcetype is note the same in both logs. In extracted logs sourcetype=wineventlog but in not recognized logs sourcetype=xmlwineventlog.

Shohre.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

this is the problem: field extractions are usually related to sourcetype, if you have a different sourcetype, surely you haven't the same extractions.

So you have two ways to solve the problem:

  • override the sourcetype value,
  • duplicate windows extraction for xmlwineventlog.

the first solution is easier: you have to change the sourcetype assign in input or add an overriding on Indexers or (when present) on Heavy Forwarders (for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Advancedsourcetypeoverrides ).

If you want to maintain a different sourcetype, you have to create all the extractions you need using regexes.

Ciao.

Giuseppe

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sh_tavousi,

Good for You.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

yeasuh
Community Manager
Community Manager

Hi my name is Yeasuh and I am a Community Content Specialist for Splunk Answers. Thank you for participating in the Splunk Answers community. To increase your chances of getting help from the community, please make sure that the title/subject line you use is descriptive and explains the question with enough detail. When posting questions in the future, please provide more information and context.

Thanks!

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...