Solved: windows event Ids not parsing all events correctly

RickbondPNT · ‎10-18-2019

When looking at windows event logs I notice that there are a lot of events that still have the and not this hinders my ability to table out different event ids.

I have tried to create a field extractor with the regx ">(?P\d+)<\/EventID>" as noted here https://visibleninja.guru/problemwith-eventid-field-extraction-in-windows_ta-app/.

This did not seem to parse out the event ids correctly. Where else should I put the regx key?

woodcock · ‎10-20-2019

You should be using the Splunk Add-on for Microsoft Windows AKA Splunk_TA_windows here:
https://splunkbase.splunk.com/app/742/
When you use this, all of the field extractions should be in place and work fine. If not, then open a support case with Splunk.

View solution in original post

woodcock · ‎10-20-2019

You should be using the Splunk Add-on for Microsoft Windows AKA Splunk_TA_windows here:
https://splunkbase.splunk.com/app/742/
When you use this, all of the field extractions should be in place and work fine. If not, then open a support case with Splunk.

skalliger · ‎10-20-2019

How are you ingesting the Windows Event logs? Have you taken a look at the docs for both getting data in the the Windows TA? The TA takes care of the extraction of all your needed fields.

Skalli

windows event Ids not parsing all events correctly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation