EricZimmerman
commented
9 months ago It's just a warning as the records get processed is all. It's based on the order in the file itself vs how things get displayed. It generally can be ignored
The value not found is also informational and just means the key in the map isn't there, so it's going to use an empty string vs null.
Hth
When processing Windows event logs with evtxecmd I frequently see a notice that time just went backwards, but when reviewing the event logs there is not a gap in logs observed. An example provided below. Can you help to explain what this is indicating?
Also frequently observe a message stating that a value is not found and is replaced with an empty string. An example provided below. Can you help to explain what this is indicating?
Record # 75146 (Event Record Id: 75146): In map for event 1150, Property /Event/EventData/Data[@Name="Signature version"] not found! Replacing with empty string