Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Lookups for the Splunk Add-on for Windows

The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups.

Lookup table file Lookup definition Description
windows_dns_action_lookup.csv windows_dns_action_lookup Maps DNS server response messages to action results, reply_code, reply_code_id
dns_recordclass_lookup.csv dns_recordclass_lookup Maps DNS record class numbers to DNS record classes
windows_dns_query_type_lookup.csv windows_dns_query_type_lookup Maps OpCode to query type
msdhcp_signatures.csv msdhcp_signature_lookup Provides mapping for DHCP ID and Signature message for DHCP Server logs
ntsyslog_mappings.csv ntsyslog_mappings Provides mapping of NTSyslog event codes and action
object_category_850.csv endpoint_change_object_category_lookup Provides mapping of object and object_category for windows registry
status_850.csv endpoint_change_status_lookup Provides mapping of status id and status for windows registry
user_types.csv endpoint_change_user_type_lookup Provides mapping of sourcetypes and user types for windows registry
vendor_actions.csv endpoint_change_vendor_action_lookup Provides mapping of actions for windows registry
windows_actions.csv windows_action_lookup Provides mapping of type and action for Windows Security Event Logs
windows_apps.csv windows_app_lookup Provides mapping of logon type and app for Windows Security Event Logs
windows_audit_changes_880.csv windows_audit_changes_lookup Provides mapping of audit change types and action for Windows Security Event Logs
windows_eventtypes.csv windows_eventtype_lookup Provides mapping of event type and description for Windows Event Logs
windows_privileges.csv windows_privilege_lookup Provides mapping of privilege ids and privilege labels for Windows Security Event Logs
windows_severities.csv windows_severity_lookup Provides mapping of event code, type and severity for Windows Event Logs
windows_signatures_860.csv windows_signature_lookup Provides mapping of signature id and message for Windows Event Logs
windows_signatures_substatus_850.csv windows_signature_lookup2 Provides mapping of signature id, sub status codes and message for Windows Event Logs
windows_timesync_actions.csv windows_timesync_action_lookup Provides mapping of time sync for Windows Event Logs
windows_update_statii.csv windows_update_status_lookup Provides mapping of event codes and their status for Windows Update Logs
wmi_user_account_status.csv wmi_user_account_status_lookup Provides mapping of status for WMI provided user account information
wmi_version_range.csv wmi_version_range_lookup Provides mapping of sourcetypes for WMI provided version information
xmlsecurity_eventcode_action_multiinput.csv xmlsecurity_eventcode_action_lookup_multiinput Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_action.csv xmlsecurity_eventcode_action_lookup Provides mapping of event codes, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_errorcode_action.csv xmlsecurity_eventcode_errorcode_action_lookup Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv)
windows_endpoint_port_transport.csv windows_endpoint_port_transport_lookup Provides Mapping of protocol and transport for Windows Security Event Logs
windows_endpoint_service_service_name.csv windows_endpoint_service_service_name_lookup Provides Mapping of EventCode, service and service_name for Windows Security Event Logs
windows_endpoint_service_service_type.csv windows_endpoint_service_service_type_lookup Provides Mapping of Service_Start_Type and start_mode for Windows Security Event Logs
windows_wineventlog_change_action_880.csv windows_wineventlog_change_action_lookup Provides Mapping of EventCode,action and status for Windows Security Event Logs
windows_wineventlog_change_object_fields_860.csv windows_wineventlog_change_object_fields_lookup Provides Mapping of EventCode, change_type, object_attrs, object_category and result for Windows Security Event Logs
xmlsecurity_change_audit_and_account_management_880.csv xmlsecurity_change_audit_and_account_management_lookup Provides Mapping of EventCode, object_attrs and result for Windows Security Event Logs
windows_start_mode_lookup.csv windows_start_mode_lookup Provides Mapping of StartType and start_mode for Windows System Event Logs

Search time lookup: Convert Windows Event Log eventType values to strings

The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:

| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>

Last modified on 25 September, 2023
Troubleshoot the Splunk Add-on for Windows   Performance reference for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters