All Apps and Add-ons

Why are Windows event log fields not extracting properly in our set up?

adossant
New Member

We are using WMI to send Windows event logs to a Windows UF with Windows-TA installed/configured from deployment server. For the most part this is working as it should. However, we are finding an issue that occurs across multiple servers for various application and system event logs entries where field extraction is not occurring properly. On the UF events viewer, Windows Logs/Forwarded events, the event log fields/entries appear properly. However, when we do a search the fields are not there.

We took one of the Windows servers and installed the UF and Windows-TA app on it. In this set up, the fields for the same event log entry extract properly and are available in a search.

We've looked at a lot of conf files and no luck as of yet. Ideas?

0 Karma

OldManEd
Builder

Adossant,
Were you able to figure this one out yet? I believe I'm seeing the same kind of issue with my instance.
~Ed

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...