topic Re: Extracting multiple values in a Splunk Search in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490293#M8278 <P>Reference:</P> <PRE><CODE>DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9 </CODE></PRE> <P>cf. <A href="https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters">https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters</A></P> <PRE><CODE>your search | rex max_match=0 "[^%](?&lt;guid&gt;{.*})" </CODE></PRE> <P>try <CODE>rex max_match</CODE> . this command exclude <EM>Object Type</EM> and <EM>Object Name</EM></P> Wed, 11 Mar 2020 11:36:15 GMT to4kawa 2020-03-11T11:36:15Z Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490291#M8276 <P>**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far:</P> <P>sourcetype=wineventlog EventCode="4662" Account_Name="<EM>\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} "<BR /> Please help me fix this search.</EM>*</P> <P>LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4662<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=gghasfv.net<BR /> TaskCategory=Directory Service Access<BR /> OpCode=Info<BR /> RecordNumber=0000000<BR /> Keywords=Audit Success<BR /> Message=An operation was performed on an object.</P> <P>Subject :<BR /> Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000<BR /> Account Name: NAME$<BR /> Account Domain: GOAL<BR /> Logon ID: GOAL</P> <P>Object:<BR /> Object Server: DS<BR /> Object Type: %{0000000-0000-0000-0000-000000000000}<BR /> Object Name: %{0000000-0000-0000-0000-000000000000}<BR /> Handle ID:</P> <P>Operation:<BR /> Operation Type: Object Access<BR /> Accesses: Control Access</P> <PRE><CODE>Access Mask: 0x100 Properties: Control Access {0000000-0000-0000-0000-000000000000} {0000000-0000-0000-0000-000000000000} </CODE></PRE> <P>Additional Information:<BR /> Parameter 1:<BR /> Parameter 2</P> Wed, 30 Sep 2020 04:32:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490291#M8276 enymanu 2020-09-30T04:32:25Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490292#M8277 <P>If this is properly structured xml or json just use mvexpand on your multi-value field. You can also pipe that to "search" for a specific value in the MV field.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand</A></P> Wed, 11 Mar 2020 05:23:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490292#M8277 codebuilder 2020-03-11T05:23:28Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490293#M8278 <P>Reference:</P> <PRE><CODE>DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2 DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9 </CODE></PRE> <P>cf. <A href="https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters">https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters</A></P> <PRE><CODE>your search | rex max_match=0 "[^%](?&lt;guid&gt;{.*})" </CODE></PRE> <P>try <CODE>rex max_match</CODE> . this command exclude <EM>Object Type</EM> and <EM>Object Name</EM></P> Wed, 11 Mar 2020 11:36:15 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490293#M8278 to4kawa 2020-03-11T11:36:15Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490294#M8279 <P>This is my updated search. It is not filtering the properties.</P> <P>sourcetype=wineventlog (EventCode="4662" Account_Name="<EM>\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY</EM>" Account_Domain!="Window Manager") | rex max_match=0 "<A href="https://community.splunk.com/?%7B.*%7D" target="_blank">^%</A>" | search (guid="<EM>{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}</EM>" OR guid = "<EM>{9923a32a-3607-11d2-b9be-0000f87a36b2}</EM>" OR guid = "<EM>{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}</EM>")</P> Wed, 30 Sep 2020 04:33:00 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490294#M8279 enymanu 2020-09-30T04:33:00Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490295#M8280 <P><EM>guid</EM> is multivalue. <CODE>search</CODE> can't work.</P> <PRE><CODE>sourcetype=wineventlog ("{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") (EventCode="4662" OR EventCode="4624") </CODE></PRE> <P>How is this? <BR /> I guess if extra results appear, use<CODE>NOT</CODE><BR /> you can do it.</P> Wed, 11 Mar 2020 21:12:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490295#M8280 to4kawa 2020-03-11T21:12:28Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490296#M8281 <P>This works fine but it slow. Is there away it can be accelerated</P> Wed, 11 Mar 2020 23:54:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490296#M8281 enymanu 2020-03-11T23:54:32Z Re: Extracting multiple values in a Splunk Search https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490297#M8282 <P><CODE>(EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS"))</CODE> can use on same way.It will be faster.</P> Thu, 12 Mar 2020 07:53:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Extracting-multiple-values-in-a-Splunk-Search/m-p/490297#M8282 to4kawa 2020-03-12T07:53:24Z