Getting Data In

I can't find EventCodeDescription from Windows logs

OldManEd
Builder

I just loaded Splunk 6.2.3 and am forwarding event log events from my laptop running Windows 7. Everything looks OK except I cannot see any "EventLogDescription" data in Splunk. Was this attribute dropped from Splunk forwarders/indexers or is there an issue with my Windows 7 system? I am not a Windows guy so any help would be appreciated. All I know is that the exact same search works when I'm running on Splunk 2.5 and access other Windows servers.

1 Solution

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

0 Karma

OldManEd
Builder

I resubmitted this question in another post and figured it out myself. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

 "4673"        "A privileged service was called"
 "5058"        "Key file operation"
 "4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...