I am trying not to reinvent the wheel. There is a requirement where WinEventLogs are indexed as csv files. The sourcetype is automatically detected as structured data and set to csv. I have tried to look through the SplunkTAWindows to see if there were any field extraction config that I could modify slightly to get the field extractions to work. So far I have been unsuccessful. The issue is that the normal message of the log is showing as EXTRAFIELD6. I could create a bunch of manual field extractions for Account Name, Account Domain, etc, but it would be great if I could leverage someone else's heavy lifting.
Yes, by default with csv as sourcetype for window event logs - it will extract time, date and time, eventid, extractedsource, level, task category and the EXTRAFIELDS6 - if you still need the EXTRAFIELD_6 to be parsed and properly extract the fields you need to field-extraction using regex (OR) delimiters.
Thank you. I don't have an issue with getting the wineventlog into csv. And yes I need to extract the fields that are now within "EXTRAFIELD6". I was hoping to leverage the SplunkTAWindows and make a few tweaks, so I would not have to do all of the extractions manually.