Event log cannot be fully displayed in Field Extra...

LuiesCui · ‎03-09-2019

Hey fellow Splunker's. I'm trying to extract some fields from Windows event logs. When I search these logs the content looks great:

But when I want to extract more fields, some of the content just disappear in Field Extractor:

So I can't get those fields extracted. Any suggestions? Thanks in advanced!

damann · ‎03-12-2019

The built in field extractor could work but why don't you build your regex from scratch?
www.regex101.com will help and explain you a lot!

If you provide an example event and describe what you want to have extracted I'm sure that i can help you with that.

skalliger · ‎03-10-2019

Did you try setting CHARSET = UTF-16 in your props.conf?

Skalli

LuiesCui · ‎03-10-2019

Hi Skalli, thanks for you reply. I put CHARSET = UTF-16 to the props.conf in my app and still don't see the rest of the content.

lakshman239 · ‎03-11-2019

I believe the splunk's extractor only loads certain number of chars/events.. Have you loaded your event to rex101 [ https://regex101.com/] and tried to extract your required fields?

Another option, would be to setup the universal forwarder to collect the data in XML renderXml=true [ if that's acceptable in your case, as it will show everything in english]

Event log cannot be fully displayed in Field Extractor

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...