Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fields in different languags
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
when I execute the query below, I have the fields in bold in different languages following the Windows OS language
Is it normal?
Is there a solution to have these fields only in English even if it's not possible to add a parameter in the stanza like useenglish=true??
index="ai-wkst-wineventlog-fr" sourcetype="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" (EventCode>="100" AND EventCode <="199") Type=* **OpCode="Détérioration du démarrage" TaskCategory="Analyse des performances de démarrage" Nom_du_fichier=* "Durée de la dégradation"=***
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds to me like you might want to see if you can get your hosts configured to log in English rather than their local language. Not sure if that is possible in Windows?
Solving this after the fact on Splunk side is going to be a nightmare and there is definitely not an option to have Splunk automagically translate your windows event logs to english for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds to me like you might want to see if you can get your hosts configured to log in English rather than their local language. Not sure if that is possible in Windows?
Solving this after the fact on Splunk side is going to be a nightmare and there is definitely not an option to have Splunk automagically translate your windows event logs to english for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can change the name of the fields using the Field Extractor from the Search & Reporting app in the Splunk Interface. After you run your search query locate the "All Fields" button/link at the top right of the fields section.
A pop-up window should show you all the fields Splunk indexed from your data including the fields that are not in english. From this new window the Field Extractor can be found in the top right of that pop up, click "Extract New Fields".
The page should refresh and take you to the Field Extractor. Now select one event from your data to use as a sample event in the table below (I believe by default the data is in _raw format). After you select an event hit Next at the top of the Splunk Interface.
Next select how the data will be extracted. There are two options, Delimiters and Regular Expressions. Selecting the format depends on the sourcetype you defined for your data. For example my sourcetype is csv, so I would select Delimiters and then click Next.
Using my example, I would select comma as the delimiter to extract my fields. Now is the section where I can rename the fields that are defined in a different language to English, if I (you) choose to do so.
Hope this helps and happy Splunking!
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
