Skip to content

Lookups for the Splunk Add-on for Windows

The Splunk Add-on for Windows has the following lookups that map fields from Windows systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/lookups

Lookup File Lookup definition Description
windows_dns_action_lookup.csv windows_dns_action_lookup Maps DNS server response messages to action results, reply_code, reply_code_id
dns_recordclass_lookup.csv dns_recordclass_lookup Maps DNS record class numbers to DNS record classes
windows_dns_query_type_lookup.csv windows_dns_query_type_lookup Maps OpCode to query type
msdhcp_signatures.csv msdhcp_signature_lookup Provides mapping for DHCP ID and Signature message for DHCP Server logs
ntsyslog_mappings.csv ntsyslog_mappings Provides mapping of NTSyslog event codes and action
object_category_850.csv endpoint_change_object_category_lookup Provides mapping of object and object_category for windows registry
status_850.csv endpoint_change_status_lookup Provides mapping of status id and status for windows registry
user_types.csv endpoint_change_user_type_lookup Provides mapping of sourcetypes and user types for windows registry
vendor_actions.csv endpoint_change_vendor_action_lookup Provides mapping of actions for windows registry
windows_actions.csv windows_action_lookup Provides mapping of type and action for Windows Security Event Logs
windows_apps.csv windows_app_lookup Provides mapping of logon type and app for Windows Security Event Logs
windows_audit_changes_900.csv windows_audit_changes_lookup Provides mapping of audit change types and action for Windows Security Event Logs
windows_eventtypes.csv windows_eventtype_lookup Provides mapping of event type and description for Windows Event Logs
windows_privileges.csv windows_privilege_lookup Provides mapping of privilege ids and privilege labels for Windows Security Event Logs
windows_severities.csv windows_severity_lookup Provides mapping of event code, type and severity for Windows Event Logs
windows_signatures_900.csv windows_signature_lookup Provides mapping of signature id and message for Windows Event Logs
windows_signatures_substatus_850.csv windows_signature_lookup2 Provides mapping of signature id, sub status codes and message for Windows Event Logs
windows_timesync_actions.csv windows_timesync_action_lookup Provides mapping of time sync for Windows Event Logs
windows_update_statii.csv windows_update_status_lookup Provides mapping of event codes and their status for Windows Update Logs
wmi_user_account_status.csv wmi_user_account_status_lookup Provides mapping of status for WMI provided user account information
wmi_version_range.csv wmi_version_range_lookup Provides mapping of sourcetypes for WMI provided version information
xmlsecurity_eventcode_action_multiinput.csv xmlsecurity_eventcode_action_lookup_multiinput Provides mapping of event codes, sub status, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_action.csv xmlsecurity_eventcode_action_lookup Provides mapping of event codes, actions and their messages for Windows Security Event Logs
xmlsecurity_eventcode_errorcode_action.csv xmlsecurity_eventcode_errorcode_action_lookup Merged lookup (xmlsecurity_eventcode_action.csv + xmlsecurity_eventcode_action_multiinput.csv)
windows_endpoint_port_transport.csv windows_endpoint_port_transport_lookup Provides Mapping of protocol and transport for Windows Security Event Logs
windows_endpoint_service_service_name.csv windows_endpoint_service_service_name_lookup Provides Mapping of EventCode, service and service_name for Windows Security Event Logs
windows_endpoint_service_service_type.csv windows_endpoint_service_service_type_lookup Provides Mapping of Service_Start_Type and start_mode for Windows Security Event Logs
windows_wineventlog_change_action_900.csv windows_wineventlog_change_action_lookup Provides Mapping of EventCode,action and status for Windows Security Event Logs
windows_wineventlog_change_object_fields_900.csv windows_wineventlog_change_object_fields_lookup Provides Mapping of EventCode, change_type, object_attrs, object_category and result for Windows Security Event Logs
xmlsecurity_change_audit_and_account_management_900.csv xmlsecurity_change_audit_and_account_management_lookup Provides Mapping of EventCode, object_attrs and result for Windows Security Event Logs
windows_start_mode_lookup.csv windows_start_mode_lookup Provides Mapping of StartType and start_mode for Windows System Event Logs
xmlwindows_task_category.csv xmlwindows_task_category_lookup Provides Mapping of TaskCategoryand Keywords for Windows System Event Logs

Search time lookup: Convert Windows Event Log eventType values to strings

The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed

Search

| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>