Dashboards & Visualizations

do you need the windows-ta to parse windows logs in XML?

sbattista09
Contributor

I know by using the render in xml for windows logs can save on overhead however, do you need the windows-TA to accomplish this?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

sbattista09
Contributor

yep! thank you! We are going over the app today and are removing everything we do not need! thanks for your time.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...