How to extract fields for WinEventLog Fields when ...

jodros · ‎04-03-2018

I am trying not to reinvent the wheel. There is a requirement where WinEventLogs are indexed as csv files. The sourcetype is automatically detected as structured data and set to csv. I have tried to look through the Splunk_TA_Windows to see if there were any field extraction config that I could modify slightly to get the field extractions to work. So far I have been unsuccessful. The issue is that the normal message of the log is showing as EXTRA_FIELD_6. I could create a bunch of manual field extractions for Account Name, Account Domain, etc, but it would be great if I could leverage someone else's heavy lifting.

Any thoughts would be appreciated.

Thanks

splunker12er · ‎04-03-2018

Yes, by default with csv as sourcetype for window event logs - it will extract _time, date and time, event_id, extracted_source, level, task category and the EXTRA_FIELDS_6 - if you still need the EXTRA_FIELD_6 to be parsed and properly extract the fields you need to field-extraction using regex (OR) delimiters.

try this link, you ll have some idea,
https://answers.splunk.com/answers/145841/is-there-any-way-to-manually-load-a-windows-event-log-into...

jodros · ‎04-04-2018

Thank you. I don't have an issue with getting the wineventlog into csv. And yes I need to extract the fields that are now within "EXTRA_FIELD_6". I was hoping to leverage the Splunk_TA_Windows and make a few tweaks, so I would not have to do all of the extractions manually.

How to extract fields for WinEventLog Fields when Exported as a CSV?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann