Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event break multiline PowerShell Transcript Log

bibibo
Loves-to-Learn Lots
‎10-30-2025 01:40 AM

Hello everyone, 

I am ingesting PowerShell Transcript Logs through a data diode. I use the Diode Sender and receiver addons:

Diode Sender Addon Splunk
https://splunkbase.splunk.com/app/6357

Diode Receiver Addon Splunk
https://splunkbase.splunk.com/app/6358

The reason of using these addons is to maintain the metadata after passing the diode. Metadata are encapsulated in the log sent and decapsulated before getting indexed.

Raw logs are received as follows:

<42>Oct 29 11:34:30 host1.domain.local i=windows|t=1761737670|st=powershell:transcript|s=C:\Transcripts\20251029\PowerShell_transcript.host1.xlLj7Isz.20251029113430.txt|h=host1.domain.local|r=**********************
Windows PowerShell transcript start
Start time: 20251029113430
Username: DOMAIN\SYSTEM
RunAs User: DOMAIN\SYSTEM
Configuration Name: 
Machine: host1 (Microsoft Windows NT 6.2.9200.0)
Host Application: C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.Agent.exe
Process ID: 10696
PSVersion: 5.1.17763.7919
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.7919
BuildVersion: 10.0.17763.7919
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
PS>$m = Get-Module -Name 'Veeam.Backup.PowerShell' -ListAvailable
if (!$m) { Add-PSSnapin VeeamPSSnapIn }
$m = $null
Connect-VBRServer -server localhost

PS>Get-VBRFailoverPlan

PS>Disconnect-VBRServer
Remove-Module -Name 'Veeam.Backup.PowerShell' -Force -ErrorAction SilentlyContinue


Logs are sent to an Edge Processor.

There I see that the single sample log is broken into several ones using the newline as a line breaker.

diode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetypediode-syslog sourcetype

   Edge Processor - Event BreakingEdge Processor - Event Breaking

What are the sourcetype settings in order to properly split my events. All events arrive with <42> header, but I don't see that in Edge Processor so I don't know if it is stripped of before event breaking function.

End Goal:
After event is properly parsed, I want to use 
Hurricane Labs Add-on for Windows PowerShell Transcript addon (https://splunkbase.splunk.com/app/4984) and extract all the fields of the PS transcript log. 

Thanks in advance for your help.

With kind regards,

Christos

Labels (4)
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...