All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sysmon Add-on - lookup eventcode not processed correctly

corti77
Communicator
‎11-20-2023 04:16 AM

hi,

I have splunk 9.0.6 and sysmon add-on 3.1.0. 

The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.

corti77_0-1700482421026.png

 

But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode".

corti77_1-1700482459755.png

 

Searching for this "eventcode" lookup, it belongs to the app Defender.

corti77_2-1700482545604.png

 

Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup".

corti77_0-1700482896017.png

 

Do you have any idea what might be happening?

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...