Getting Data In

Why the error: Windows Event Logs: renderXml and evt_resolve_ad_obj?

Path Finder

I am deploying the Splunk Windows TA to my UFs.  My test case if UF 8.2.9 and Splunk_TA_windows 8.5. 

When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this.

The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either.

I found nothing in the splunk.log showing any errors.

Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:



disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win



Labels (2)
0 Karma


I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?

0 Karma

Path Finder

I ended up removing the renderXml=true option. It does not look like evt_resolve_ad_obj works with XML or is broken.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...