Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event break multiline PowerShell Transcript Log

bibibo
Loves-to-Learn Lots
‎10-30-2025 01:40 AM

Hello everyone, 

I am ingesting PowerShell Transcript Logs through a data diode. I use the Diode Sender and receiver addons:

Diode Sender Addon Splunk
https://splunkbase.splunk.com/app/6357

Diode Receiver Addon Splunk
https://splunkbase.splunk.com/app/6358

The reason of using these addons is to maintain the metadata after passing the diode. Metadata are encapsulated in the log sent and decapsulated before getting indexed.

Raw logs are received as follows:

<42>Oct 29 11:34:30 host1.domain.local i=windows|t=1761737670|st=powershell:transcript|s=C:\Transcripts\20251029\PowerShell_transcript.host1.xlLj7Isz.20251029113430.txt|h=host1.domain.local|r=**********************
Windows PowerShell transcript start
Start time: 20251029113430
Username: DOMAIN\SYSTEM
RunAs User: DOMAIN\SYSTEM
Configuration Name: 
Machine: host1 (Microsoft Windows NT 6.2.9200.0)
Host Application: C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.Agent.exe
Process ID: 10696
PSVersion: 5.1.17763.7919
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.7919
BuildVersion: 10.0.17763.7919
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
PS>$m = Get-Module -Name 'Veeam.Backup.PowerShell' -ListAvailable
if (!$m) { Add-PSSnapin VeeamPSSnapIn }
$m = $null
Connect-VBRServer -server localhost

PS>Get-VBRFailoverPlan

PS>Disconnect-VBRServer
Remove-Module -Name 'Veeam.Backup.PowerShell' -Force -ErrorAction SilentlyContinue


Logs are sent to an Edge Processor.

There I see that the single sample log is broken into several ones using the newline as a line breaker.

diode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetype

   Edge Processor - Event BreakingEdge Processor - Event Breaking

What are the sourcetype settings in order to properly split my events. All events arrive with <42> header, but I don't see that in Edge Processor so I don't know if it is stripped of before event breaking function.

End Goal:
After event is properly parsed, I want to use 
Hurricane Labs Add-on for Windows PowerShell Transcript addon (https://splunkbase.splunk.com/app/4984) and extract all the fields of the PS transcript log. 

Thanks in advance for your help.

With kind regards,

Christos

Labels (4)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...