Hi
when I execute the query below, I have the fields in bold in different languages following the Windows OS language
Is it normal?
Is there a solution to have these fields only in English even if it's not possible to add a parameter in the stanza like useenglish=true??
index="ai-wkst-wineventlog-fr" sourcetype="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" (EventCode>="100" AND EventCode <="199") Type=* **OpCode="Détérioration du démarrage" TaskCategory="Analyse des performances de démarrage" Nom_du_fichier=* "Durée de la dégradation"=***
Thanks
Sounds to me like you might want to see if you can get your hosts configured to log in English rather than their local language. Not sure if that is possible in Windows?
Solving this after the fact on Splunk side is going to be a nightmare and there is definitely not an option to have Splunk automagically translate your windows event logs to english for you.
Sounds to me like you might want to see if you can get your hosts configured to log in English rather than their local language. Not sure if that is possible in Windows?
Solving this after the fact on Splunk side is going to be a nightmare and there is definitely not an option to have Splunk automagically translate your windows event logs to english for you.
You can change the name of the fields using the Field Extractor from the Search & Reporting app in the Splunk Interface. After you run your search query locate the "All Fields" button/link at the top right of the fields section.
A pop-up window should show you all the fields Splunk indexed from your data including the fields that are not in english. From this new window the Field Extractor can be found in the top right of that pop up, click "Extract New Fields".
The page should refresh and take you to the Field Extractor. Now select one event from your data to use as a sample event in the table below (I believe by default the data is in _raw format). After you select an event hit Next at the top of the Splunk Interface.
Next select how the data will be extracted. There are two options, Delimiters and Regular Expressions. Selecting the format depends on the sourcetype you defined for your data. For example my sourcetype is csv, so I would select Delimiters and then click Next.
Using my example, I would select comma as the delimiter to extract my fields. Now is the section where I can rename the fields that are defined in a different language to English, if I (you) choose to do so.
Hope this helps and happy Splunking!