Hello,
is possible to use field value to extract new field with splunk. for example i have a field Message whon contain this information below
Un handle vers un objet a été demandé. Sujet : ID de sécurité : CONTOSO\Administrateur Nom du compte : Administrateur Domaine du compte : CONTOSO ID d’ouverture de session 0x863fe Objet : Serveur de l’objet : Security Type d’objet : File Nom de l’objet : C:\secret ID du handle : 0x1068 Informations sur le processus : ID du processus : 0xcd8 Nom du processus :
and i need to extract some value like account name (CONTOSO\Administrateur) , access file (C:\secret)
thanks for your help
Hello
I my case is a version of my windows server is in french and when i use this regex result are empty i use this for resolv my problem
host="" EventCode="4656" TaskCategory="Système de fichiers" "Nom du compte "!="$" source="WinEventLog:Security" | rex field=Message "Nom du compte(?
Thanks for help
This is fairly straight forward. Use rex:
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex
Example from that page:
... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"
So, yours would be something like:
... | rex field=Message ".*:.*:\s(?<accountname>\w+)\s.*"
I'm fairly sure you need to tweak that regex as I just roughed it out and didn't test it at all, but you ought to get the idea.
If this is something that you want done on an ongoing, automatic basis, then you should look into using the SOURCE_KEY attribute in transforms.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Transformsconf