Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Additional Windows Event Logs

UnsuperviseLeon
Loves-to-Learn
‎08-27-2024 01:38 PM

Hello! I am trying to collect 3 additional Windows Event logs and I have added them in the inputs.conf, for example

 

[WinEventLog://Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

 

 Admin, Autopilot, and Operational, were added the same way.

I also added in props.conf

 

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin]
rename = wineventlog

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot]
rename = wineventlog

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational]
rename = wineventlog

 

 

The data are coming in, however, none of the fields are parsed as interesting fields.

Is there something I am missing? I looked through some of the other conf file, but I think I am in over my head to make a new section in props? I thought the base [WinEventLog] would take care of the basic breaking up of interesting fields like EventID, so I am a bit lost.

Labels (3)
Labels
0 Karma
Reply

UnsuperviseLeon
Loves-to-Learn
‎08-29-2024 07:34 AM

Things like "EventID" is in every event and that isn't showing up. I'll poke around the other conf more.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-29-2024 11:01 AM

Ok. Aren't you perchance searching in fast mode? Oh, and I of course assume you have your TA_windows installed in all required places, right?

0 Karma
Reply

UnsuperviseLeon
Loves-to-Learn
‎08-29-2024 02:46 PM

Not searching in fast mode.

I am going to assume that I did not installed it in all the required places, I inherited this from another employee. I have it deployed from the DS to my endpoints and the local conf are configured there. I have it also installed via Manage Apps in the Cloud search head. 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2024 11:30 PM

Hi @UnsuperviseLeon ,

as @PickleRick said, fields are lister in interesting fields only if you have them in at least 20% of the events, you can check these fields putting in the main search one of these new fields (e.g. my_field=*).

then, it isn't sure that these fields are correctly parsed by the standard Windows parser, you have to check this and eventually add the missing parsings.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 03:15 PM

Interesting Fields is just a GUI feature that shows fields present in at least 10 (15?) percent of events. Just because field is not listed there doesn't mean it's not being parsed out from the event. Actually with renderXml=true you get xml-formatted events from which all fields should be automatically parsed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...