topic How to extract text from the Message field up to the first "." in Windows event logs? in Splunk Search

How to extract text from the Message field up to the first "." in Windows event logs?

daniel_knights — Tue, 07 Jun 2016 06:00:59 GMT

We have made a dashboard to show the rare events generated by users

Account_Name=XX* |rare limit=20 EventCode |table count, EventCode, Message

but with the message field, it outputs everything below the Message= field

How can I extract from the message field up to the first "." or carriage return?

What we are after is Message="An account was logged off."

Re: How to extract text from the Message field up to the first "." in Windows event logs?

sundareshr — Tue, 07 Jun 2016 11:56:54 GMT

Try this. New field msg should have everything before the first "."

.... | rex field=Message "\"(?<msg>[^\.\n]+)"

Re: How to extract text from the Message field up to the first "." in Windows event logs?

jwahlgren — Mon, 14 Nov 2016 13:50:35 GMT

Try:

| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) |table Short_Message

Edit: Depending on the message you can filter out what lines to show with (Message,0) were 0 is first line. So if you only wan't to show line 3 you can specify eval Short_Message=mvindex(Message,2). In your case the above query should be correct as you only want to show the first line in the message.