- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just loaded Splunk 6.2.3 and am forwarding event log events from my laptop running Windows 7. Everything looks OK except I cannot see any "EventLogDescription" data in Splunk. Was this attribute dropped from Splunk forwarders/indexers or is there an issue with my Windows 7 system? I am not a Windows guy so any help would be appreciated. All I know is that the exact same search works when I'm running on Splunk 2.5 and access other Windows servers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;
"4673" "A privileged service was called"
"5058" "Key file operation"
"4625" "An account failed to log on"
And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;
"4673" "A privileged service was called"
"5058" "Key file operation"
"4625" "An account failed to log on"
And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.
