Hi @sh_tavousi,
this is the problem: field extractions are usually related to sourcetype, if you have a different sourcetype, surely you haven't the same extractions.
So you have two ways to solve the problem:
the first solution is easier: you have to change the sourcetype assign in input or add an overriding on Indexers or (when present) on Heavy Forwarders (for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Advancedsourcetypeoverrides ).
If you want to maintain a different sourcetype, you have to create all the extractions you need using regexes.
Ciao.
Giuseppe
Hi @sh_tavousi,
could you describe better your need?
Ciao.
Giuseppe
Hi
When I search source="wineventlog:security" or "wineventlog:system" in some hosts in search head, results are not extracted. They are raw but others are extracted properly. I have installed UF on hosts and also I have used Splunk_TA_Windows.
I've looked at a lot of conf files and no luck as of yet.
Shohre
Hi @sh_tavousi,
did you installed Splunk_TA_windows only on Forwarders or also on Search Heads?
Which fields aren't recognized?
Did you run the searches always in Verbose Mode?
Ciao.
Giuseppe
Hi
Yes, I installed Splunk_TA_windows on Forwarders and on Search Heads.
In WinEventLog :security and WinEventLog:system, all fields are not extracted like Event Code, Event ID, Account Name and ... . However other hosts do not have any problems and I have all field extracted.
I do not run searches in Verbose Mode. My search is " index=main source=WinEventLog :security" and then results in some hosts are not extracted.
Shohre
Hi @sh_tavousi,
it's a very strange behavior!
please some last checks:
Ciao.
Giuseppe
Hi Giuseppe,
Yes, logs recognized and not recognized are in the same language.
Sourcetype is note the same in both logs. In extracted logs sourcetype=wineventlog but in not recognized logs sourcetype=xmlwineventlog.
Shohre.
Hi @sh_tavousi,
this is the problem: field extractions are usually related to sourcetype, if you have a different sourcetype, surely you haven't the same extractions.
So you have two ways to solve the problem:
the first solution is easier: you have to change the sourcetype assign in input or add an overriding on Indexers or (when present) on Heavy Forwarders (for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Advancedsourcetypeoverrides ).
If you want to maintain a different sourcetype, you have to create all the extractions you need using regexes.
Ciao.
Giuseppe
Hi @sh_tavousi,
Good for You.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi my name is Yeasuh and I am a Community Content Specialist for Splunk Answers. Thank you for participating in the Splunk Answers community. To increase your chances of getting help from the community, please make sure that the title/subject line you use is descriptive and explains the question with enough detail. When posting questions in the future, please provide more information and context.
Thanks!