Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Download manual as PDF

This documentation does not apply to the most recent version of WindowsAddOn. Click here for the latest version.
Download topic as PDF

Lookups for the Splunk Add-on for Windows

The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups.

Lookup table file Lookup definition Description
fs_notification_change_type.csv fs_notification_change_type_lookup Provides mapping of sourcetypes and change types for windows registry and file system change notifications
msdhcp_signatures.csv msdhcp_signature_lookup Provides mapping for DHCP ID and Signature message for DHCP Server logs
ntsyslog_mappings.csv ntsyslog_mappings Provides mapping of NTSyslog event codes and action
object_category.csv endpoint_change_object_category_lookup Provides mapping of object and object_category for windows registry and file system change notifications
status.csv endpoint_change_status_lookup Provides mapping of status id and status for windows registry and file system change notifications
user_types.csv endpoint_change_user_type_lookup Provides mapping of sourcetypes and user types for windows registry and file system change notifications
vendor_actions.csv endpoint_change_vendor_action_lookup Provides mapping of actions for windows registry and file system change notifications
windows_actions.csv windows_action_lookup Provides mapping of type and action for Windows Security Event Logs
windows_apps.csv windows_app_lookup Provides mapping of logon type and app for Windows Security Event Logs
windows_audit_changes.csv windows_audit_changes_lookup Provides mapping of audit change types and action for Windows Security Event Logs
windows_eventtypes.csv windows_eventtype_lookup Provides mapping of event type and description for Windows Event Logs
windows_privileges.csv windows_privilege_lookup Provides mapping of privilege ids and privilege labels for Windows Security Event Logs
windows_severities.csv windows_severity_lookup Provides mapping of event code, type and severity for Windows Event Logs
windows_signatures.csv windows_signature_lookup Provides mapping of signature id and message for Windows Event Logs
windows_signatures_substatus.csv windows_signature_lookup2 Provides mapping of signature id, sub status codes and message for Windows Event Logs
windows_timesync_actions.csv windows_timesync_action_lookup Provides mapping of time sync for Windows Event Logs
windows_update_statii.csv windows_update_status_lookup Provides mapping of event codes and their status for Windows Update Logs
wmi_user_account_status.csv wmi_user_account_status_lookup Provides mapping of status for WMI provided user account information
wmi_version_range.csv wmi_version_range_lookup Provides mapping of sourcetypes for WMI provided version information
xmlsecurity_eventcode_action_multiinput.csv xmlsecurity_eventcode_action_lookup_multiinput Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_action.csv xmlsecurity_eventcode_action_lookup Provides mapping of event codes, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_errorcode_action.csv xmlsecurity_eventcode_errorcode_action_lookup Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv)

Search time lookup: Convert Windows Event Log eventType values to strings

The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:

| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>

PREVIOUS
Troubleshoot the Splunk Add-on for Windows
  NEXT
Performance reference for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters