Hi, I have added the //Jobs stanza into the input.conf file on the print server, but unfortunately I am not seeing the user field. Please let me know if you have any recommendations. /Paul
... View more
Hi, You are correct the Message field is not included and other fields that I would like to use have generic names, Data, which is not very helpful for the reports/dashboard I want to make. We are using xml because it requires less storage space and possibly faster, but have not really seen any performance advantage from my testing so far. I think we might have to rethink the xml version of that data. Cheers, Paul
... View more
Hi, From sourcetype XmlWinEventLog we are missing the data in these Event Viewer fields located in the General tab in this screenshot. For example TaskCategory and Keywords. It should be included as we are pulling the identical data from another server with sourcetype WinEventLog and all of those fields are in the events.
... View more
Hi All, I was hoping that modification of KV_Mode=xml in props.conf under the [xmlwineventlog] stanza on the standalone index\search head\deployment server would properly parse the Event View data from servers, but unfortunately I am not seeing all the message data that should be included. Here is sample of data, please see Event.EventData.Binary field:
... View more
Good morning Rich, I appreciate your response, but I am not understanding your explanation " because the regex contains HTML-encoded < and > characters." as I do not see the < and > characters. Could you highlight or modify the rex script with the proper syntax required for it to work correctly? Cheers, Paul
... View more
I appreciate any any assistance with my Rex error.
When running this Rex command:
| rex "New Logon:\s+Security ID:\s+(?<account>.*)"
I receive the following error, "Rex in dashboard says missing terminator"
Thanks in advance!
... View more