Solved: Splunk Add-on for Microsoft Windows: Why is WinEve...

OldManEd · ‎10-21-2015

I just loaded the Splunk Windows Universal Forwarder 6.3 on a Windows box and ran the following search:

index=<index name> sourcetype="WinEventLog:Security" | stats sparkline count by EventCode, EventCodeDescription

I received the message, "No Results Found".

I then altered the search to the following:

    index=<index name> sourcetype="WinEventLog:Security"

I did get results. I looked under "fields" and did not see eventcodedescription. I have searches that run on a Splunk 4.5 instance collecting data from older Windows boxes, and everything is fine. Has anyone seen this before? Is the problem with Splunk 6.3 Forwarder/Indexers, or with the Windows boxes themselves? I did install "Splunk_TA_Windows" on everything, (Search Head/Deployment Server/Indexers/Forwarders), to parse the Windows log data, but I'm still not seeing the entry.

Any ideas?

OldManEd · ‎10-22-2015

OK, I found it. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

"4673"        "A privileged service was called"
"5058"        "Key file operation"
"4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

View solution in original post

pappjr · ‎03-08-2016

As of Splunk_TA_windows 4.82 (released on 2/29/2016) it looks like EventCodeDescription has been renamed to 'signature'. This appears to be generated by an automatic lookup that should provide you the descriptions you're looking for right out of the box.

OldManEd · ‎03-08-2016

Hey pappjr, thanks for the update. I just ran a test search and it appears that the fields "name" and "signature" give me the same results in 6.3.0. It's all good.

OldManEd · ‎10-22-2015

OK, I found it. The old search was using a field called "EventCodeDescription". I don't know where/how this field was set. All I know is that this field was giving short Windows event code descriptions for events code numbers like these;

"4673"        "A privileged service was called"
"5058"        "Key file operation"
"4625"        "An account failed to log on"

And that's what I was looking for. I finally found a reference to a similar search, but this one was using the "name" field. And that was it. It appears that somewhere in my old instance of Splunk, the "name" field was renamed to "EventCodeDescription". I don't know where or by whom. But this "name" field is giving me exactly what I was looking for.

woodcock · ‎10-22-2015

Your forwarders are probably are using suppress_text=true. Read about it here:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsdata

OldManEd · ‎10-22-2015

Woodcock,
From what I read, the default for "suppress_text" is false. But, just to be sure, I made an entry in the inputs.conf file to force it to false, "supress_text = 0", but nothing changed. I still don't see any data or even a field called "EventCodeDescription" in the 6.3 instance.

Splunk Add-on for Microsoft Windows: Why is WinEventLog:Security EventCodeDescription data missing?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!