All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Windows: Why is dest_nt_domain field not extracting properly?

responsys_cm
Builder
‎12-19-2016 02:29 PM

For some Windows event logs (such as Security log Event Code 4624), the "Account Domain" field appears twice in the event, such as:

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        Domain\User
    Account Name:       User
    Account Domain:     Domain
    Logon ID:       0x10e78b284
    Logon GUID:     {9C42AF4A-04C2-DB77-9462-7BF2E02E8CFD}

From what I can tell, Splunk is automatically extracting these fields. There is nothing in props.conf to extract the Account_Domain field. Since "Account Domain:" appears twice in the event, once with the value "-" and once with the value "Domain", the resulting event appears as "- Domain".

It isn't a multivalued field. I've tried applying makemv to it without success. I could turn it into a multivalued field if I used space as the delimiter, but that would then screw up fields where "NT AUTHORITY" is the domain.

Given that this seems to be an issue with how Splunk automatically extracts data for "key: value" pairs, does anyone have an idea how best to work around this so domains are identified properly?

Is there a way to use the "replace" function of eval in the data model setting for the dest_nt_domain field to replace the "- " value with nothing?

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎12-21-2016 08:00 PM

as far as I remember, dest_nt_domain is defined in a transforms.conf. REGEX could be modified to avoid parting "-" by creating a transforms.conf in local directory, I guess.

0 Karma
Reply

hgrow
Communicator
‎12-20-2016 02:55 AM

Hi responsys_cm,

this is not a direct answer to your question but recently i got pointed at this blog about win-event-log:

http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

Maybe the xml-field-extractions are a bit more robust and already solve the problem with the key-value-extraction. Additionally it comes with more benifits wich are described in the blog. Atleast something worth a try?

Greetings.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...