Dashboards & Visualizations

do you need the windows-ta to parse windows logs in XML?

sbattista09
Contributor

I know by using the render in xml for windows logs can save on overhead however, do you need the windows-TA to accomplish this?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Yes and No, both. Or how about "It depends"?

A handful of points in hopefully a not-terrible order:

The Windows TA is a set of "things", many of which parse the Windows Event logs. Other pieces may do lookups (to convert certain hex values into "Allowed" or "Denied" or whatever), other parts which may build pretty dashboards.

As you've noticed, when you set renderXml = 1 on the input there are probably a lot of fields that will come through fine because it's XML and is parsed as XML. So in that sense, the Windows TA isn't really required.

BUT, not all the XML logs are "Well defined XML" either. I mean, they're fine - maybe the right way to say it is that not all fields are A single field. There are times when a single "field" actually contains a lot of data in it, only partly related to each other. In that case, there is additional parsing needed to pull those bits and pieces out into separate fields. I believe the Windows TA does this in several important cases, so in that respect the Windows TA is totally needed.

Except in all those cases, one could just write one's own extractions and parsing, in which case the Windows TA isn't actually needed. Some folks have rewritten or at least rewritten parts of the Windows TA.

So the answer really is it depends.

IMO, if one were really quite enterprising, one could just remove the pieces that were unneeded when you turn on renderXml, but I think the only thing that would do would be to reduce your props/transforms files' size a bit. But since all the stuff that is in the TA for parsing older logs won't get used, it's really not making your system slower or anything - maybe a few more milliseconds wasted at startup, but likely a more or less zero impact to the running system.

So, does all that makes sense? 🙂

sbattista09
Contributor

yep! thank you! We are going over the app today and are removing everything we do not need! thanks for your time.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...