In Server 2008 and above the Windows Event Log has a general tab and a details tab. Splunk is great at polling and indexing the general tab but the Details tab, whether the Friendly view or the XML view also has data that is critical to troubleshooting.
My case in point: Exchange 2010 event log WinEventLog:MSExchange Management is being polled and indexed. An event looks like this:
20121128102958.000000
Category=1
CategoryString=General
EventCode=6
EventIdentifier=-1073741818
EventType=1
Logfile=MSExchange Management
RecordNumber=428075
SourceName=MSExchange CmdletLogs
TimeGenerated=20121128162958.000000-000
TimeWritten=20121128162958.000000-000
Type=Error
User=NULL
ComputerName=EXCHANGESERVER.DOMAIN.COM
wmi_type=WinEventLog:MSExchange Management
Message=Cmdlet failed. Cmdlet Add-DistributionGroupMember, parameters {Identity="GUID=big-long-serial-number", Member="distinguishedName of user", Confirm=False}.
The error message that the Cmdlet failed is not specific enough. In the details tab this same event may have many different reasons. Here are two:
Microsoft.Exchange.Management.Tasks.MemberAlreadyExistsException: The recipient "distinguishedName of user" is already a member of the group "distinguishedName of distribution group".
Microsoft.Exchange.Data.Directory.ADScopeException: "distinguishedName of distribution group" isn't within your current write scopes. Can't perform save operation.
Similar event, two different reasons. One reason requires attention, the other can be ignored.
So my question is how can Splunk index this detail data behind the general event information?