In windows events on a lot of cases you get a result code from them in hex notation, then you have to look them up and see what each hex means. Is there any way to change the hex to a meaningful expression by substituting the hex code with its meaning? Preferably at search time.
Yes, you can use a lookup table for this. Some work has been done in this area already by ftk, and packaged into an app. Could http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup help you?
Yes, you can use a lookup table for this. Some work has been done in this area already by ftk, and packaged into an app. Could http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup help you?
It should yes, lookups are applied at search time. See http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources for more information on lookups.
Will this work with my already indexed data?