https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302042#M36040 <P>Hi jwindley,</P> <P>this is what I have in my avecto app:</P> <P>props.conf<BR /> [source::WinEventLog:Application]<BR /> REPORT-MESSAGE = avec-wel-message, avec-wel-eq-kv, avec-wel-col-kv<BR /> KV_MODE=none</P> <H1>Note the below settings are effectively legacy, in place here to handle</H1> <H1>data coming from much much older forwarders (3.x &amp; 4.x)</H1> <P>SHOULD_LINEMERGE = false<BR /> MAX_TIMESTAMP_LOOKAHEAD=30<BR /> LINE_BREAKER = (<A href="https://community.splunk.com/?=d%7B2%7D/d%7B2%7D/d%7B2,4%7D%20d%7B2%7D:d%7B2%7D:d%7B2%7D%20%5BaApPmM%5D%7B2%7D" target="_blank">\r\n</A>)<BR /> TRANSFORMS-FIELDS = strip-winevt-linebreaker</P> <P>transforms.conf<BR /> [avec-wel-message]<BR /> REGEX = (?sm)^(?&lt;_pre_msg&gt;.+)\nMessage=(?.+)$<BR /> CLEAN_KEYS = false</P> <P>[avec-wel-eq-kv]<BR /> SOURCE_KEY = _pre_msg<BR /> DELIMS = "\n","="<BR /> MV_ADD = true</P> <P>[avec-wel-col-kv]<BR /> SOURCE_KEY = Message<BR /> REGEX = \n?<A href="%5B%5E:nr%5D+" target="_blank"> \t</A>:[ \t]++([^\r]*)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true</P> Tue, 29 Sep 2020 22:14:23 GMT john0499 2020-09-29T22:14:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302038#M36036 <P>Hi all,</P> <P>I have a problem extracting fields after the Message= portion of a windows application event log. Everything after Message= is being added as single value to the message field.</P> <P>I think it may be the due to the formatting of the data after Message=, which seems to have a leading space or tab. It looks like this:</P> <P>Message=Process started in passive mode.</P> <P>Command Line: C:\something\something\something.exe<BR /> Process Id: 8988<BR /> ...</P> <P>(the the white space is being removed from this post - its in front of 'Command' and 'Process')</P> <P>There are about 50 more fields after these, all on new lines but with a space or tab before them.</P> <P>I have tried playing with the regex from transforms.conf below, but I've only been able to move the problem from the message field to a new field called Command_Line that contains a value of everything below it.</P> <P>[wel-col-kv]<BR /> SOURCE_KEY = Message<BR /> REGEX = \n([^:\n\r]+):[ \t]++([^\n]*)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true</P> <P>I have found some similar questions asked but haven't been able to come up with a solution yet. Any help would be greatly appreciated.</P> Tue, 29 Sep 2020 14:07:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302038#M36036 john0499 2020-09-29T14:07:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302039#M36037 <P>are you using the Windows TA? <BR /> <A href="https://splunkbase.splunk.com/app/742/">https://splunkbase.splunk.com/app/742/</A></P> Wed, 24 May 2017 02:48:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302039#M36037 adonio 2017-05-24T02:48:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302040#M36038 <P>I do have the TA, although I don't believe it's actually needed as windows event extraction is included in the default transforms.conf</P> <P>I managed to get it working with the following changes to the default:</P> <P>REGEX = \n?<A href="%5B%5E:nr%5D+"> \t</A>:[ \t]++([^\r]*)</P> <P>FYI this was to extract avecto defendpoint events</P> Mon, 29 May 2017 23:46:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302040#M36038 john0499 2017-05-29T23:46:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302041#M36039 <P>Hi John, I have the same problem parsing the avecto logs from Message. I tried your new regex but it didn't solve it for me. Strangely though the default regex parses everything fine for me in regex101. Did you make any other changes at all other than to the wel-col-kv settings?</P> <P>Thanks</P> Tue, 27 Nov 2018 10:01:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302041#M36039 jwindley_splunk 2018-11-27T10:01:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302042#M36040 <P>Hi jwindley,</P> <P>this is what I have in my avecto app:</P> <P>props.conf<BR /> [source::WinEventLog:Application]<BR /> REPORT-MESSAGE = avec-wel-message, avec-wel-eq-kv, avec-wel-col-kv<BR /> KV_MODE=none</P> <H1>Note the below settings are effectively legacy, in place here to handle</H1> <H1>data coming from much much older forwarders (3.x &amp; 4.x)</H1> <P>SHOULD_LINEMERGE = false<BR /> MAX_TIMESTAMP_LOOKAHEAD=30<BR /> LINE_BREAKER = (<A href="https://community.splunk.com/?=d%7B2%7D/d%7B2%7D/d%7B2,4%7D%20d%7B2%7D:d%7B2%7D:d%7B2%7D%20%5BaApPmM%5D%7B2%7D" target="_blank">\r\n</A>)<BR /> TRANSFORMS-FIELDS = strip-winevt-linebreaker</P> <P>transforms.conf<BR /> [avec-wel-message]<BR /> REGEX = (?sm)^(?&lt;_pre_msg&gt;.+)\nMessage=(?.+)$<BR /> CLEAN_KEYS = false</P> <P>[avec-wel-eq-kv]<BR /> SOURCE_KEY = _pre_msg<BR /> DELIMS = "\n","="<BR /> MV_ADD = true</P> <P>[avec-wel-col-kv]<BR /> SOURCE_KEY = Message<BR /> REGEX = \n?<A href="%5B%5E:nr%5D+" target="_blank"> \t</A>:[ \t]++([^\r]*)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true</P> Tue, 29 Sep 2020 22:14:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-extract-fields-from-the-message-of-a-windows-event-log/m-p/302042#M36040 john0499 2020-09-29T22:14:23Z