All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data extraction assistance

pirsa
Explorer
‎04-18-2021 06:41 PM

Howdy Guys,

We were getting windows event Application logs through, with a simple stanza previously, that would be whitelisting only the 11707 event. The data was coming through in non xml, and was rather clean when searching for these events in Splunk.

However, recently we deployed the "Splunk_TA_windows" to all desktops, which included the Windows Application win event logs, but this is sending them in XML format.  This is ok, as I believe this is preferred for licensing/ingestion in splunk, but it now means one of our simple reports no longer is working as the fields it as looking for are no longer there (Windows TA seems to be taking over the previous simple app 11707 event  ingestion)

It appears the TA does not extract anything out from the <EventData></EventData> just only grabs the whole block, however I am interested in getting the "Product:" from that block.
Sample data:

 

<EventData><Data>Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B31443845363239312D423044352D333545432D383434312D3636313646353637413046377D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 21.012.27402.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B42423130324541442D453133362D343946382D384645312D4138383831373442364646397D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 19.092.25297.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B36363938354431392D323831452D343736442D394242452D3645453944464131413433387D</Binary></EventData></Event>

 

 

Given I suck at REGEX, how could I extract "Product:*" from the above events? so I could add it to a local/transforms.conf to extract the string I need?

[product_string_for_11707_events]
REGEX = ??????
FORMAT = product::"$1"

Any and all assistance appreciated.

 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...