We are using graylog to forward windows security events to SPLUNK, since we are using Enterprise Security and COM and we worked with SPLUNK PS to basically remap the fields from winlogbeat_ to format needed by the SPLUNK_TA_windows app. We have these working but are struggling with 1 lookup.
The field is 'action' with a value of "Action Success" or "Action Failure". However, when graylog sends it as [Action Success] or [Action Failure]. We changed the lookups file from splunk_ta_windows to [Action Success], success or [Action Failure],failure.
It doesn't appear to pull this from the lookup table. Is there a particular format when prefaced with a special character?
Not sure if this is conflicting with the TA_Windows lookup or not, when I look at a btool I see that mine loaded, but I would think if I was using that one it would have broken the events coming in over the SPLUNK UF.