Getting Data In

I can't find EventCodeDescription from Windows logs

OldManEd
Builder

I just loaded Splunk 6.2.3 and am forwarding event log events from my laptop running Windows 7. Everything looks OK except I cannot see any "EventLogDescription" data in Splunk. Was this attribute dropped from Splunk forwarders/indexers or is there an issue with my Windows 7 system? I am not a Windows guy so any help would be appreciated. All I know is that the exact same search works when I'm running on Splunk 2.5 and access other Windows servers.

1 Solution

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

0 Karma

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...