topic Re: Extract multiple lines from search output in Splunk Search

Extract multiple lines from search output

kkossery — Thu, 23 Oct 2014 12:26:27 GMT

Experts,

I have a Event Log output using the search string

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"

The output would be, after truncating it,

10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success

etc. for each event code ID.

I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,

(?<EveID>EventCode\S+)

That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.

Thank you.

Re: Extract multiple lines from search output

MuS — Thu, 23 Oct 2014 12:45:25 GMT

What is the expected result of line 4 and line 7? Should line 4 be ComputerName and line 7 RecordNumber ? I'm asking because EventCode is not line 1....

Re: Extract multiple lines from search output

kkossery — Thu, 23 Oct 2014 12:52:14 GMT

Sorry about that. Expected result should be,

Time    EveID                                  ComputerName         
_time   Event Code=4742              MyHost.com
_time   Event Code=4772              MyHost2.com

etc..

Re: Extract multiple lines from search output

richgalloway — Thu, 23 Oct 2014 12:59:16 GMT

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory

Re: Extract multiple lines from search output

MuS — Thu, 23 Oct 2014 13:03:18 GMT

or to answer the question how to get the nth line...try this:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))" 
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))" 
| table EveID,ComputerName

cheers, MuS

Re: Extract multiple lines from search output

kkossery — Thu, 23 Oct 2014 13:21:57 GMT

Thank richgalloway. How do we also add

TaskCategory=Computer Account Management

to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"

Re: Extract multiple lines from search output

richgalloway — Thu, 23 Oct 2014 13:32:04 GMT

I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.

Re: Extract multiple lines from search output

kkossery — Thu, 23 Oct 2014 13:55:07 GMT

Thanks MuS. I'll use your output too on a different problem.