I'm trying to troubleshoot some Windows Event Log events coming into Splunk. The events are stream processed, and come in as JSON. Here is a sample (obfuscated). {"Version":"0","Level":"0","Task":"12345","Opcode":"0","Keywords":"0x8020000000000000","Correlation_ActivityID":"{99999999-9999-9999-9999-999999999999}","Channel":"Security","Guid":"99999999-9999-9999-9999-999999999999","Name":"Microsoft-Windows-Security-Auditing","ProcessID":"123","ThreadID":"12345","RecordID":"999999","TargetUserSid":"AD\\user","TargetLogonId":"0xXXXXXXXXX"} There are a number of indexed fields as well, including "Computer" and "EventID". What's interesting - signature_id seems to be created, but when I search on it, it fails. In this event, signature_id is shown under "Interesting Fields" with the value 4647, but if I put signature_id=4647 in the search line, it comes back with no results. If I put EventID=4647, it comes back with the result. I'm using Smart Mode. This led me to digging into the Fields configurations (alias', calculations, etc.) but I couldn't figure out how signature_id was created in the Windows TA. Can anyone provide any insight? Thank you! Ed
... View more