Lookups for the Splunk Add-on for Windows
The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups
.
Lookup table file | Lookup definition | Description |
---|---|---|
fs_notification_change_type.csv | fs_notification_change_type_lookup | Provides mapping of sourcetypes and change types for windows registry and file system change notifications |
msdhcp_signatures.csv | msdhcp_signature_lookup | Provides mapping for DHCP ID and Signature message for DHCP Server logs |
ntsyslog_mappings.csv | ntsyslog_mappings | Provides mapping of NTSyslog event codes and action |
object_category.csv | endpoint_change_object_category_lookup | Provides mapping of object and object_category for windows registry and file system change notifications |
status.csv | endpoint_change_status_lookup | Provides mapping of status id and status for windows registry and file system change notifications |
user_types.csv | endpoint_change_user_type_lookup | Provides mapping of sourcetypes and user types for windows registry and file system change notifications |
vendor_actions.csv | endpoint_change_vendor_action_lookup | Provides mapping of actions for windows registry and file system change notifications |
windows_actions.csv | windows_action_lookup | Provides mapping of type and action for Windows Security Event Logs |
windows_apps.csv | windows_app_lookup | Provides mapping of logon type and app for Windows Security Event Logs |
windows_audit_changes.csv | windows_audit_changes_lookup | Provides mapping of audit change types and action for Windows Security Event Logs |
windows_eventtypes.csv | windows_eventtype_lookup | Provides mapping of event type and description for Windows Event Logs |
windows_privileges.csv | windows_privilege_lookup | Provides mapping of privilege ids and privilege labels for Windows Security Event Logs |
windows_severities.csv | windows_severity_lookup | Provides mapping of event code, type and severity for Windows Event Logs |
windows_signatures.csv | windows_signature_lookup | Provides mapping of signature id and message for Windows Event Logs |
windows_signatures_substatus.csv | windows_signature_lookup2 | Provides mapping of signature id, sub status codes and message for Windows Event Logs |
windows_timesync_actions.csv | windows_timesync_action_lookup | Provides mapping of time sync for Windows Event Logs |
windows_update_statii.csv | windows_update_status_lookup | Provides mapping of event codes and their status for Windows Update Logs |
wmi_user_account_status.csv | wmi_user_account_status_lookup | Provides mapping of status for WMI provided user account information |
wmi_version_range.csv | wmi_version_range_lookup | Provides mapping of sourcetypes for WMI provided version information |
xmlsecurity_eventcode_action_multiinput.csv | xmlsecurity_eventcode_action_lookup_multiinput | Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs |
xmlsecurity_eventcode_action.csv | xmlsecurity_eventcode_action_lookup | Provides mapping of event codes, actions and their messages for Windows Security Event Logs |
xmlsecurity_eventcode_errorcode_action.csv | xmlsecurity_eventcode_errorcode_action_lookup | Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv) |
Search time lookup: Convert Windows Event Log eventType values to strings
The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:
| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>
Troubleshoot the Splunk Add-on for Windows | Performance reference for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.1
Feedback submitted, thanks!