Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract fields for WinEventLog Fields when Exported as a CSV?

jodros
Builder
‎04-03-2018 11:37 AM

I am trying not to reinvent the wheel. There is a requirement where WinEventLogs are indexed as csv files. The sourcetype is automatically detected as structured data and set to csv. I have tried to look through the Splunk_TA_Windows to see if there were any field extraction config that I could modify slightly to get the field extractions to work. So far I have been unsuccessful. The issue is that the normal message of the log is showing as EXTRA_FIELD_6. I could create a bunch of manual field extractions for Account Name, Account Domain, etc, but it would be great if I could leverage someone else's heavy lifting.

Any thoughts would be appreciated.

Thanks

0 Karma
Reply

splunker12er
Motivator
‎04-03-2018 08:29 PM

Yes, by default with csv as sourcetype for window event logs - it will extract _time, date and time, event_id, extracted_source, level, task category and the EXTRA_FIELDS_6 - if you still need the EXTRA_FIELD_6 to be parsed and properly extract the fields you need to field-extraction using regex (OR) delimiters.

try this link, you ll have some idea,
https://answers.splunk.com/answers/145841/is-there-any-way-to-manually-load-a-windows-event-log-into...

0 Karma
Reply

jodros
Builder
‎04-04-2018 07:10 AM

Thank you. I don't have an issue with getting the wineventlog into csv. And yes I need to extract the fields that are now within "EXTRA_FIELD_6". I was hoping to leverage the Splunk_TA_Windows and make a few tweaks, so I would not have to do all of the extractions manually.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...