Archive

use field value to extract new field

New Member

Hello,

is possible to use field value to extract new field with splunk. for example i have a field Message whon contain this information below

Un handle vers un objet a été demandé. Sujet : ID de sécurité : CONTOSO\Administrateur Nom du compte : Administrateur Domaine du compte : CONTOSO ID d’ouverture de session 0x863fe Objet : Serveur de l’objet : Security Type d’objet : File Nom de l’objet : C:\secret ID du handle : 0x1068 Informations sur le processus : ID du processus : 0xcd8 Nom du processus :

and i need to extract some value like account name (CONTOSO\Administrateur) , access file (C:\secret)

thanks for your help

Tags (2)
0 Karma

New Member

Hello

I my case is a version of my windows server is in french and when i use this regex result are empty i use this for resolv my problem

host="" EventCode="4656" TaskCategory="Système de fichiers" "Nom du compte "!="$" source="WinEventLog:Security" | rex field=Message "Nom du compte(?.)" | rex field=Message "Nom de l’objet(?.)" | rex field=Message "Nom du processus(?.*)" |rex mode=sed field=user "s/://g" |rex mode=sed field=objet "s/://g" |rex mode=sed field=process "s/://g" |eval mytime=strftime(time, "%H:%M") |dedup mytime user objet | eval DATE=strftime(time, "%d/%m/%y%H:%M") |eval ACCES=case(Keywords="Échec de l’audit", "Accès refusé",Keywords="Succès de l’audit", "Accès autorisé") | table DATE user host objet process ACCES |rename host AS "SERVEUR" user AS "UTILISATEUR" objet AS "RESSOURCE" process AS "PROCESSUS"

Thanks for help

0 Karma

Splunk Employee
Splunk Employee

This is fairly straight forward. Use rex:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex

Example from that page:

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

So, yours would be something like:

... | rex field=Message ".*:.*:\s(?<accountname>\w+)\s.*"

I'm fairly sure you need to tweak that regex as I just roughed it out and didn't test it at all, but you ought to get the idea.

SplunkTrust
SplunkTrust

If this is something that you want done on an ongoing, automatic basis, then you should look into using the SOURCE_KEY attribute in transforms.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Transformsconf