Solved: Why is the TA_Windows 5 breaks Splunk Security Ess...

skenigma · ‎07-17-2018

Splunk_TA_Windows renames the sourcetypes for the windows logs.
WinEventLog:Security for example is renamed to wineventlog

Security Essentials searches fail.

| metasearch earliest=-2h latest=now sourcetype="*WinEventLog:Security" index=* | head 100 | stats count

Is this planned on being fixed, or should I remove Splunk_TA_Windows to use Security Essentials?

David · ‎07-17-2018

Ah ha! Thank you for the detailed question! I wasn't aware of this.

Yes, I'm nearing complete on SSE 2.2, and will have this fixed in that version. I'll post back here once I release it, but expect it no more than 2 weeks away, and I'll strive to have it done within 1 week.

View solution in original post

David · ‎07-17-2018

Ah ha! Thank you for the detailed question! I wasn't aware of this.

Yes, I'm nearing complete on SSE 2.2, and will have this fixed in that version. I'll post back here once I release it, but expect it no more than 2 weeks away, and I'll strive to have it done within 1 week.

skenigma · ‎07-17-2018

Thank you for your response. I look forward to working with the new version and verifying the data.

Why is the TA_Windows 5 breaks Splunk Security Essentials?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!