Lookups for the Splunk Add-on for Windows
The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups
.
Lookup table file | Lookup definition | Description |
---|---|---|
dns_action_lookup.csv
|
dns_action_lookup
|
Maps DNS server response messages to action results |
dns_recordclass_lookup.csv
|
dns_recordclass_lookup
|
Maps DNS record class numbers to DNS record classes |
dns_vendor_lookup.csv
|
dns_vendor_lookup
|
Maps source types to DNS vendor (Microsoft) |
fs_notification_change_type.csv
|
fs_notification_change_type_lookup
|
Provides mapping of sourcetypes and change types for windows registry and file system change notifications |
msdhcp_signatures.csv
|
msdhcp_signature_lookup
|
Provides mapping for DHCP ID and Signature message for DHCP Server logs |
ntsyslog_mappings.csv
|
ntsyslog_mappings
|
Provides mapping of NTSyslog event codes and action |
object_category.csv
|
endpoint_change_object_category_lookup
|
Provides mapping of object and object_category for windows registry and file system change notifications |
status.csv
|
endpoint_change_status_lookup
|
Provides mapping of status id and status for windows registry and file system change notifications |
user_types.csv
|
endpoint_change_user_type_lookup
|
Provides mapping of sourcetypes and user types for windows registry and file system change notifications |
vendor_actions.csv
|
endpoint_change_vendor_action_lookup
|
Provides mapping of actions for windows registry and file system change notifications |
windows_actions.csv
|
windows_action_lookup | Provides mapping of type and action for Windows Security Event Logs |
windows_apps.csv
|
windows_app_lookup
|
Provides mapping of logon type and app for Windows Security Event Logs |
windows_audit_changes.csv
|
windows_audit_changes_lookup
|
Provides mapping of audit change types and action for Windows Security Event Logs |
windows_eventtypes.csv
|
windows_eventtype_lookup
|
Provides mapping of event type and description for Windows Event Logs |
windows_privileges.csv
|
windows_privilege_lookup
|
Provides mapping of privilege ids and privilege labels for Windows Security Event Logs |
windows_severities.csv
|
windows_severity_lookup
|
Provides mapping of event code, type and severity for Windows Event Logs |
windows_signatures.csv
|
windows_signature_lookup
|
Provides mapping of signature id and message for Windows Event Logs |
windows_signatures_substatus.csv
|
windows_signature_lookup2
|
Provides mapping of signature id, sub status codes and message for Windows Event Logs |
windows_timesync_actions.csv
|
windows_timesync_action_lookup
|
Provides mapping of time sync for Windows Event Logs |
windows_update_statii.csv
|
windows_update_status_lookup
|
Provides mapping of event codes and their status for Windows Update Logs |
wmi_user_account_status.csv
|
wmi_user_account_status_lookup
|
Provides mapping of status for WMI provided user account information |
wmi_version_range.csv
|
wmi_version_range_lookup
|
Provides mapping of sourcetypes for WMI provided version information |
xmlsecurity_eventcode_action_multiinput.csv
|
xmlsecurity_eventcode_action_lookup_multiinput
|
Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs |
xmlsecurity_eventcode_action.csv
|
xmlsecurity_eventcode_action_lookup
|
Provides mapping of event codes, actions and their messages for Windows Security Event Logs |
xmlsecurity_eventcode_errorcode_action.csv
|
xmlsecurity_eventcode_errorcode_action_lookup
|
Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv )
|
windows_endpoint_port_transport.csv
|
windows_endpoint_port_transport_lookup
|
Provides Mapping of protocol and transport for Windows Security Event Logs
|
windows_endpoint_service_service_name.csv
|
windows_endpoint_service_service_name_lookup
|
Provides Mapping of EventCode, service and service_name for Windows Security Event Logs |
windows_endpoint_service_service_type.csv
|
windows_endpoint_service_service_type_lookup
|
Provides Mapping of Service_Start_Type and start_mode for Windows Security Event Logs |
windows_wineventlog_change_action.csv
|
windows_wineventlog_change_action_lookup
|
Provides Mapping of EventCode,action and status for Windows Security Event Logs |
windows_wineventlog_change_object_fields.csv
|
windows_wineventlog_change_object_fields_lookup
|
Provides Mapping of EventCode, change_type, object_attrs, object_category and result for Windows Security Event Logs |
xmlsecurity_change_audit_and_account_management.csv
|
xmlsecurity_change_audit_and_account_management_lookup
|
Provides Mapping of EventCode, object_attrs and result for Windows Security Event Logs |
Search time lookup: Convert Windows Event Log eventType values to strings
The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:
| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>
Troubleshoot the Splunk Add-on for Windows | Performance reference for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.1
Feedback submitted, thanks!