Today’s very short post is about an issue I came across viewing Application event logs that were onboarded using the Windows_TA app. The EventID field wasn’t being populated for most events. When I looked closer at the events, I could see that EventID can be represented in two different ways in different events:
The first one has EventID extracted successfully, but the second one does not.
The fix was simple. I added a global field extraction for sourcetype XmlWinEventLog:Application:
I’ve submitted this feedback to the Splunk team, and I’ll update this post if it’s resolved in future updates of the Windows_TA app.