This documentation does not apply to the most recent version of Splunk® Add-on for Windows.
For documentation on the most recent version, go to the latest release.
Lookups for the Splunk Add-on for Windows
The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups.
| Lookup table file | Lookup definition | Description |
|---|---|---|
| dns_action_lookup.csv | dns_action_lookup | Maps DNS server response messages to action results |
| dns_recordclass_lookup.csv | dns_recordclass_lookup | Maps DNS record class numbers to DNS record classes |
| dns_vendor_lookup.csv | dns_vendor_lookup | Maps source types to DNS vendor (Microsoft) |
| fs_notification_change_type.csv | fs_notification_change_type_lookup | Provides mapping of sourcetypes and change types for windows registry and file system change notifications |
| msdhcp_signatures.csv | msdhcp_signature_lookup | Provides mapping for DHCP ID and Signature message for DHCP Server logs |
| ntsyslog_mappings.csv | ntsyslog_mappings | Provides mapping of NTSyslog event codes and action |
| object_category.csv | endpoint_change_object_category_lookup | Provides mapping of object and object_category for windows registry and file system change notifications |
| status.csv | endpoint_change_status_lookup | Provides mapping of status id and status for windows registry and file system change notifications |
| user_types.csv | endpoint_change_user_type_lookup | Provides mapping of sourcetypes and user types for windows registry and file system change notifications |
| vendor_actions.csv | endpoint_change_vendor_action_lookup | Provides mapping of actions for windows registry and file system change notifications |
| windows_actions.csv | windows_action_lookup | Provides mapping of type and action for Windows Security Event Logs |
| windows_apps.csv | windows_app_lookup | Provides mapping of logon type and app for Windows Security Event Logs |
| windows_audit_changes.csv | windows_audit_changes_lookup | Provides mapping of audit change types and action for Windows Security Event Logs |
| windows_eventtypes.csv | windows_eventtype_lookup | Provides mapping of event type and description for Windows Event Logs |
| windows_privileges.csv | windows_privilege_lookup | Provides mapping of privilege ids and privilege labels for Windows Security Event Logs |
| windows_severities.csv | windows_severity_lookup | Provides mapping of event code, type and severity for Windows Event Logs |
| windows_signatures.csv | windows_signature_lookup | Provides mapping of signature id and message for Windows Event Logs |
| windows_signatures_substatus.csv | windows_signature_lookup2 | Provides mapping of signature id, sub status codes and message for Windows Event Logs |
| windows_timesync_actions.csv | windows_timesync_action_lookup | Provides mapping of time sync for Windows Event Logs |
| windows_update_statii.csv | windows_update_status_lookup | Provides mapping of event codes and their status for Windows Update Logs |
| wmi_user_account_status.csv | wmi_user_account_status_lookup | Provides mapping of status for WMI provided user account information |
| wmi_version_range.csv | wmi_version_range_lookup | Provides mapping of sourcetypes for WMI provided version information |
| xmlsecurity_eventcode_action_multiinput.csv | xmlsecurity_eventcode_action_lookup_multiinput | Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs |
| xmlsecurity_eventcode_action.csv | xmlsecurity_eventcode_action_lookup | Provides mapping of event codes, actions and their messages for Windows Security Event Logs |
| xmlsecurity_eventcode_errorcode_action.csv | xmlsecurity_eventcode_errorcode_action_lookup | Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv) |
Search time lookup: Convert Windows Event Log eventType values to strings
The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:
| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>
Last modified on 15 February, 2019
| Troubleshoot the Splunk Add-on for Windows | Performance reference for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 6.0.0
Download manual
Feedback submitted, thanks!