All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Windows: Why is dest_nt_domain field not extracting properly?

responsys_cm
Builder
‎12-19-2016 02:29 PM

For some Windows event logs (such as Security log Event Code 4624), the "Account Domain" field appears twice in the event, such as:

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        Domain\User
    Account Name:       User
    Account Domain:     Domain
    Logon ID:       0x10e78b284
    Logon GUID:     {9C42AF4A-04C2-DB77-9462-7BF2E02E8CFD}

From what I can tell, Splunk is automatically extracting these fields. There is nothing in props.conf to extract the Account_Domain field. Since "Account Domain:" appears twice in the event, once with the value "-" and once with the value "Domain", the resulting event appears as "- Domain".

It isn't a multivalued field. I've tried applying makemv to it without success. I could turn it into a multivalued field if I used space as the delimiter, but that would then screw up fields where "NT AUTHORITY" is the domain.

Given that this seems to be an issue with how Splunk automatically extracts data for "key: value" pairs, does anyone have an idea how best to work around this so domains are identified properly?

Is there a way to use the "replace" function of eval in the data model setting for the dest_nt_domain field to replace the "- " value with nothing?

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎12-21-2016 08:00 PM

as far as I remember, dest_nt_domain is defined in a transforms.conf. REGEX could be modified to avoid parting "-" by creating a transforms.conf in local directory, I guess.

0 Karma
Reply

hgrow
Communicator
‎12-20-2016 02:55 AM

Hi responsys_cm,

this is not a direct answer to your question but recently i got pointed at this blog about win-event-log:

http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

Maybe the xml-field-extractions are a bit more robust and already solve the problem with the key-value-extraction. Additionally it comes with more benifits wich are described in the blog. Atleast something worth a try?

Greetings.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...