topic How to search a Multiline event using rex at searchtime? in Splunk Search

How to search a Multiline event using rex at searchtime?

I-Man — Wed, 09 Feb 2011 06:04:01 GMT

Hey Splunkers,

I cannot get the following rex statement to match in Splunk. I read that using (?m) in the transforms.conf file will match multiline events however I am having trouble getting this to work at searchtime. Actually, I dont even know if this will work at search time.

index=security EventCode=1234 OR EventCode=123 
| rex field=_raw 
    "(?m)Target\sAccount.*\r\n\tSecurity.*\r\n\tAccount\sName\:\t\t (?<Foobar>.*)"

Please let me know if this would work...

Regardless, we have events that have a field of "Account Name". After which, there is another "Account Name" that isn't being made into a field. The data after the second Account Name is what we are trying to grab. Example:

Subject:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       admin
    Account Domain:     dom
    Logon ID:       xxxxxxxxxx

Target Account:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       bigadmin
    Account Domain:     dom

Any better ideas on how to do this? Thanks in advance!

I-Man

Re: How to search a Multiline event using rex at searchtime?

Ron_Naken — Wed, 09 Feb 2011 06:29:49 GMT

If you have the Windows app installed, Splunk should automagically extract both account names from the log entries. Select Account_Name in the "Pick Fields" and search for something like this:

Account_Name=* EventCode="4624"

You'll notice that under each event that has multiple account names, you'll see both entries:

Account_Name=- | Account_Name=SYSTEM

You don't need the (?m). The RegEx was not correct prior to being edited, but you shouldn't need to use one.

Cheers

Re: How to search a Multiline event using rex at searchtime?

I-Man — Wed, 09 Feb 2011 21:09:16 GMT

Thanks much for the response ron. Is there anyway to only grab the second account name and ignore the first instance?

Re: How to search a Multiline event using rex at searchtime?

Ron_Naken — Thu, 10 Feb 2011 15:49:12 GMT

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

Re: How to search a Multiline event using rex at searchtime?

I-Man — Thu, 10 Feb 2011 21:25:31 GMT

Exactly what I was looking for. Thanks ron!!!