Windows platforms italian language

RemigioGastaldo · ‎01-15-2014

Hi, I'm beginner about this product and I ask for help.
I installed the package "splunkforwarder-6.0.1-189883-x86-release.msi"
on Windows ENU language and all EventLog are forwarded and parsed correctly so I may build reports/dashboard.

I've installed the same package on Windows ITALIAN version.
The Event Log are forwarded but not parsed correctly.

This is the begin of original message:
Message=Accesso alla rete riuscito:
Nome utente: Administrator
Dominio: W2K3ITA
ID accesso: (0x0,0x1738E4)
Tipo accesso: 2
Processo di accesso: User32

.....
.....

I think may be a localized language problem.

Can someone help me?

marcoscala · ‎03-06-2014

Remigio,
the "problem" is fields definition. Fields in Splunk can either discoveder automatically by Splunk by default on a syntax like "string=value", or you can simply define them using regex. Field extractions are based on the "sourcetype", that is the "kind" of log data you're analyzing.

Pre defined sourcetype, like WinEventLog:* rely on english default language to recognize fields. So, you should enhance this by defining new fields extraction for the WinEventLog:* sourcetypes using the string in Italian.

More about defining fields extractions can be found here: http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Managesearch-timefieldextractions

Regards,
Marco Scal

Windows platforms italian language

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life