All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field EventDescription and Splunk Add-on for Sysmon

altink
Builder
‎10-04-2023 10:54 AM

Dear Support

I have downloaded Splunk Add-on for Sysmon.
I am also using Sysmon App for Splunk - which requires the prior.

My sysmon data are stored on an index named os_sysmon.

Some dashboards of Sysmon App for Splunk show empty, because they rely on a field named EventDescription.

I did check deployment of Splunk Add-on for Sysmon, under folder lookups, and did find there a file named microsoft_sysmon_eventcode.csv just as doc:
Lookups for the Splunk Add-on for Sysmon 
... says

The file is populated with 28 entries and has two fields:
EventCode and EventDescription 

when I search my index:
index = os_sysmon

I do get field EventCode, but not the EventDescription 
(the same is for lookup file microsoft_sysmon_record_type.csv - I do have record_type but not the record_type_name)

Now,  the Sysmon App for Splunk has only one macro - named sysmon - with an original sourcetype=....., which I changed to index=sysmon.

No try to derivate any EventDescription  field from EventCode via the lookup file.

Seems strange that developers of Sysmon App for Splunk forgot to create (eval) used field EventDescription  from EventCode (via lookup) in their only macro.

Should I do it myself there, or is it something to fix at Splunk Add-on for Sysmon - and how?

best regards
Altin

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2023 09:41 AM

This is not Splunk Support. This is a community-driven forum.

0 Karma
Reply

_JP
Contributor
‎10-06-2023 09:17 AM

The lookup can be there, but it might not be defined as an Automatic Lookup.  Take a look at your lookup configurations for the Sysmon app - an automatic lookup could be defined there and disabled.  You can also define your own. 

0 Karma
Reply

unionub
Loves-to-Learn
‎10-18-2023 05:46 AM

Hi @_JP 

There are two automatic lookups (for the two csv-s) under Splunk Add-on for Sysmon.
Both are enabled.

The one I am interested in looks like this:
lookup.jpg

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...