Getting Data In

I can't find EventCodeDescription from Windows logs

OldManEd
Builder

I just loaded Splunk 6.2.3 and am forwarding event log events from my laptop running Windows 7. Everything looks OK except I cannot see any "EventLogDescription" data in Splunk. Was this attribute dropped from Splunk forwarders/indexers or is there an issue with my Windows 7 system? I am not a Windows guy so any help would be appreciated. All I know is that the exact same search works when I'm running on Splunk 2.5 and access other Windows servers.

1 Solution

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

0 Karma

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.