My question is how have others been parsing this Powershell file among other esoteric Windows Event logs? Currently I am using the Splunk app TA_windows. It parses some of the generic logs quite well. Will effort be done by Splunk or the community to parse other such logs? Am I going about this completely wrong?
Here is my immediate regex issue. I want to extract the field HostApplication. As you can see the line may be one or two lines in the raw event.
This works in the search bar but does not work as an extracted field.
| rex field=_raw "HostApplication=(?P.+\s(?=\s))"
Field extraction = HostApplication=(?P.+\s(?=\s))
_raw event= LogName=Windows PowerShell SourceName=PowerShell EventCode=400 EventType=4 Type=Information ComputerName=ABC-123 Keywords=Classic Message=Engine state is changed from None to Available.
NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=5.1.14409.1005 HostId=9b3e7caa-29af-42fe-8cfe-b6d6c9d83ead HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -Noninteractive -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\4eef3f2ec987c2.ps1' EngineVersion=5.1.14409.1005 RunspaceId=33010d86-d566-434f-aa74-ebb0b0b600fa
Can someone help with the strategic questions and my immediate regex issue?
I am joining the question as the extractions seems not to be prebuilt in the Windows TA
here is how i worked around it:
index = win* source=*powershell* EventCode=400 | rex field=_raw "\HostApplication="(?<HostApplication>\w.+)"" | dedup HostApplication | table _time EventCode ComputerName HostApplication
I also need to know this.
I'm struggling to extract the 'CommandLine' field as everything below the 'RunspaceId' is missing when I try to extract new fields.
I'm looking at event ID's 500 & 501 and using the app Splunk_TA_windows.
I think I've managed it by using the following in-line regex...
| rex field="Message" ".CommandLine=(?.$)"