Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Additional Windows Event Logs

UnsuperviseLeon
Loves-to-Learn
‎08-27-2024 01:38 PM

Hello! I am trying to collect 3 additional Windows Event logs and I have added them in the inputs.conf, for example

 

[WinEventLog://Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true

 

 Admin, Autopilot, and Operational, were added the same way.

I also added in props.conf

 

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin]
rename = wineventlog

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot]
rename = wineventlog

[WinEventLog:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational]
rename = wineventlog

 

 

The data are coming in, however, none of the fields are parsed as interesting fields.

Is there something I am missing? I looked through some of the other conf file, but I think I am in over my head to make a new section in props? I thought the base [WinEventLog] would take care of the basic breaking up of interesting fields like EventID, so I am a bit lost.

Labels (3)
Labels
0 Karma
Reply

UnsuperviseLeon
Loves-to-Learn
‎08-29-2024 07:34 AM

Things like "EventID" is in every event and that isn't showing up. I'll poke around the other conf more.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-29-2024 11:01 AM

Ok. Aren't you perchance searching in fast mode? Oh, and I of course assume you have your TA_windows installed in all required places, right?

0 Karma
Reply

UnsuperviseLeon
Loves-to-Learn
‎08-29-2024 02:46 PM

Not searching in fast mode.

I am going to assume that I did not installed it in all the required places, I inherited this from another employee. I have it deployed from the DS to my endpoints and the local conf are configured there. I have it also installed via Manage Apps in the Cloud search head. 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2024 11:30 PM

Hi @UnsuperviseLeon ,

as @PickleRick said, fields are lister in interesting fields only if you have them in at least 20% of the events, you can check these fields putting in the main search one of these new fields (e.g. my_field=*).

then, it isn't sure that these fields are correctly parsed by the standard Windows parser, you have to check this and eventually add the missing parsings.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 03:15 PM

Interesting Fields is just a GUI feature that shows fields present in at least 10 (15?) percent of events. Just because field is not listed there doesn't mean it's not being parsed out from the event. Actually with renderXml=true you get xml-formatted events from which all fields should be automatically parsed.

0 Karma
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...