Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

By default it considering the whitespace while parsing the fieldname in wineventlog

RanjiRaje
Explorer
‎07-24-2024 06:13 AM

Hi, can anyone help me with the solution please.

I have wineventlog as below. By default it considering the whitespace while parsing the fieldname.

For eg: it should extract the field name as "Provider Name", but instead it is extracting the field name as "Name". It considering whitespace and extracting the filename.

Similarly I have many fields as highlighted below. please guide me where I have to make such change to get the correct field names.

Sample Log:

<Event xmlns='http://XXX.YYYY.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{12345-1111-2222-a5ba-XXX}'/><EventID>2222</EventID><Version>0</Version><Level>0</Level><Task>12345</Task><Opcode>0</Opcode><Keywords>1110000000000000</Keywords><TimeCreated SystemTime='2024-07-24T11:36:15.892441300Z'/><EventRecordID>0123456789</EventRecordID><Correlation ActivityID='{11aa2222-abc2-0001-0002-XXXX1122}'/><Execution ProcessID='111' ThreadID='111'/><Channel>Security</Channel><Computer>YYY.xxx.com</Computer><Security/></System><EventData><Data Name='MemberName'>-</Data><Data Name='MemberSid'>CORP\gpininfra-svcaccounts</Data><Data Name='TargetUserName'>Administrators</Data><Data Name='TargetDomainName'>Builtin</Data><Data Name='TargetSid'>BUILTIN\Administrators</Data><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>xyz$</Data><Data Name='SubjectDomainName'>CORP</Data><Data Name='SubjectLogonId'>1A2B</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2024 07:31 AM

The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element.

For example, if you extract the fields with spath you will get ...Provider@Name showing that it is an attribute. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2024 07:31 AM

The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element.

For example, if you extract the fields with spath you will get ...Provider@Name showing that it is an attribute. 

0 Karma
Reply
Solved! Jump to solution

RanjiRaje
Explorer
‎07-24-2024 07:36 AM

Hi, Thanks for your reply. I just had a look in transforms.conff file and seen such stanzas

[system_props_xml_attributes]
# Extracts values from following fields:
# Provider: Name, Guid
# TimeCreated: SystemTime, RawTime
# Correlation: ActivityID, RelativeActivityID
# Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime
# Security: UserID

So, for the element "Provider" - Name & Guid are attributes
similarly for the element "Timecreated" - systemtime & rawtime are attributes

So the fields are parsing correctly right ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2024 07:50 AM

It looks that way

0 Karma
Reply
Solved! Jump to solution

RanjiRaje
Explorer
‎07-24-2024 08:01 AM

thanks for clarifying

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...