Dashboards & Visualizations

do you need the windows-ta to parse windows logs in XML?

sbattista09
Contributor

I know by using the render in xml for windows logs can save on overhead however, do you need the windows-TA to accomplish this?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

sbattista09
Contributor

yep! thank you! We are going over the app today and are removing everything we do not need! thanks for your time.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...