dstaulcu

Thanks for closing so many PRs today. Did Florian's Twitter post about his GitHub bullying tactic get under your skin? Jokes aside, Looking forward to keeping you busy with this...

host_fqdn seems to be extracting reliably for me for sysmon events on my splunk server dedicated to the ThreatHunting app and its dependencies. I have Splunk_TA_windows v8.50 and Splunk_TA_microsoft_sysmon v3.0.0....

I've submitted pr #103 as a proposed change to handle issues no matter what wineventlog rendering type the sources of interest have. 

No problem. I think you will find that a few other field extractions are missing if you continue down the non xml route for sysmon. Id bite the bullet and...

That is a good idea. I stumbled on this sort of issue at first as well and I have many years of experience with sysmon and splunk. I'd suggest forking...

was just looking at outstanding pull requests. Have yall seen the allow_skew feature in [savedsearches.conf](ttps://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Savedsearchesconf)? I don't know what version of Splunk allow_skew was introduced with but seems like that...

good catch! found an additional case and submitted PR #119 having proposed solution.

suggested changes added to existing pull request

Thanks for reaching out! I havent touched this code in years but could take another crack at it if you would find that helpful. A few months after I made...

Take a look at closed issues in GitHub. This sort of symptom has been addressed in issue discussions several times. Often it comes down to source/source type values for sysmon...