We have installed a universal forwarder on a DC. In order to reduce the size of the windows logs indexed, we have used the option suppress_text=1 under [WinEvenLog://Security] section in the inputs.conf file on the splunk universal forwarder. However, after setting this option, it happens that many interesting fields have disappeared like the Account_Name, Account_Domain, Logon_Type, etc.
So I have the following questions:
- Are all these fields extracted from the message part?
- What exactly contains the message part?
- What remains exactly when suppress_text=1 option is set?
Thanks for your help
... View more