Solved: windows event Ids not parsing all events correctly

RickbondPNT · ‎10-18-2019

When looking at windows event logs I notice that there are a lot of events that still have the and not this hinders my ability to table out different event ids.

I have tried to create a field extractor with the regx ">(?P\d+)<\/EventID>" as noted here https://visibleninja.guru/problemwith-eventid-field-extraction-in-windows_ta-app/.

This did not seem to parse out the event ids correctly. Where else should I put the regx key?

woodcock · ‎10-20-2019

You should be using the Splunk Add-on for Microsoft Windows AKA Splunk_TA_windows here:
https://splunkbase.splunk.com/app/742/
When you use this, all of the field extractions should be in place and work fine. If not, then open a support case with Splunk.

View solution in original post

woodcock · ‎10-20-2019

You should be using the Splunk Add-on for Microsoft Windows AKA Splunk_TA_windows here:
https://splunkbase.splunk.com/app/742/
When you use this, all of the field extractions should be in place and work fine. If not, then open a support case with Splunk.

skalliger · ‎10-20-2019

How are you ingesting the Windows Event logs? Have you taken a look at the docs for both getting data in the the Windows TA? The TA takes care of the extraction of all your needed fields.

Skalli

windows event Ids not parsing all events correctly

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk