Solved: How do you add new field extraction and do proper ...

Kitteh · ‎09-25-2017

An example of my raw text is attached. How do I do the field extraction and also proper line breaking in event logs like this? I've changed renderXml to true so as to reduce the resource intensity. the sourcetype is XmlWinEventLog

Kitteh · ‎10-10-2017

Question resolved, I changed renderXml to false and proceed using regex (example: rex in splunk) to actually extract fields, this way its much more efficient. In my opinion.

View solution in original post

Kitteh · ‎10-10-2017

Question resolved, I changed renderXml to false and proceed using regex (example: rex in splunk) to actually extract fields, this way its much more efficient. In my opinion.

harsmarvania57 · ‎09-26-2017

Hi @Kitteh,

You can install Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742/) to extract fields during search time.

Thanks,
Harshil

harsmarvania57 · ‎09-26-2017

Hi @Kitteh,

Is this sysmon data?

Thanks,
Harshil

Kitteh · ‎09-26-2017

Hi @harsmarvania57,

No this is not Sysmon data. Particularly on Windows Event Viewer log on application, system and security.

Regards,
Kitteh

How do you add new field extraction and do proper line breaking? (Sourcetype=XMLWinEventLog)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?