All Apps and Add-ons

Data extraction assistance

pirsa
Explorer

Howdy Guys,

We were getting windows event Application logs through, with a simple stanza previously, that would be whitelisting only the 11707 event. The data was coming through in non xml, and was rather clean when searching for these events in Splunk.

However, recently we deployed the "Splunk_TA_windows" to all desktops, which included the Windows Application win event logs, but this is sending them in XML format.  This is ok, as I believe this is preferred for licensing/ingestion in splunk, but it now means one of our simple reports no longer is working as the fields it as looking for are no longer there (Windows TA seems to be taking over the previous simple app 11707 event  ingestion)

It appears the TA does not extract anything out from the <EventData></EventData> just only grabs the whole block, however I am interested in getting the "Product:" from that block.
Sample data:

 

<EventData><Data>Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B31443845363239312D423044352D333545432D383434312D3636313646353637413046377D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 21.012.27402.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B42423130324541442D453133362D343946382D384645312D4138383831373442364646397D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 19.092.25297.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B36363938354431392D323831452D343736442D394242452D3645453944464131413433387D</Binary></EventData></Event>

 

 

Given I suck at REGEX, how could I extract "Product:*" from the above events? so I could add it to a local/transforms.conf to extract the string I need?

[product_string_for_11707_events]
REGEX = ??????
FORMAT = product::"$1"

Any and all assistance appreciated.

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...