![alt text][1]
Hi,
I am using SplunkUniversalForwarder to forward exported evtx files on windows7 machine to Enterprise instance running on ubuntu server. On ubuntu server not all fields extracted in write way specially the message -attached screenshot- field and it cant parse the subfields of message.
I tried to when I indexed them locally on the windows every thing worked fine. But I need to index them on the Enterprise instance for size and license issue.
Thanks,,
[1]: /storage/temp/121266-screen-shot-2016-04-16-at-15949-pm.png
↧