Hello Splunkers,
Facing one issue in identifying Creator_Process_Name,
In windows process creation event we have New_Process_ID, New_Process_Name, Creator_Process_ID -- using this we cannot identify Process which created the New_Process_Name , but there is a chance where Creator_Process_ID=New_Process_ID in some other event so from that event i need to populate Creator_Process_Name
For e.g
index=wineventlog hostname1 |eval Creator_Process_Name=if(Creator_Process_ID=="New_Process_ID", New_Process_Name,NULL)
... View more