Monitoring Splunk

use field value to extract new field

ambemou
New Member

Hello,

is possible to use field value to extract new field with splunk. for example i have a field Message whon contain this information below

Un handle vers un objet a été demandé. Sujet : ID de sécurité : CONTOSO\Administrateur Nom du compte : Administrateur Domaine du compte : CONTOSO ID d’ouverture de session 0x863fe Objet : Serveur de l’objet : Security Type d’objet : File Nom de l’objet : C:\secret ID du handle : 0x1068 Informations sur le processus : ID du processus : 0xcd8 Nom du processus :

and i need to extract some value like account name (CONTOSO\Administrateur) , access file (C:\secret)

thanks for your help

Tags (2)
0 Karma

ambemou
New Member

Hello

I my case is a version of my windows server is in french and when i use this regex result are empty i use this for resolv my problem

host="" EventCode="4656" TaskCategory="Système de fichiers" "Nom du compte "!="$" source="WinEventLog:Security" | rex field=Message "Nom du compte(?.)" | rex field=Message "Nom de l’objet(?.)" | rex field=Message "Nom du processus(?.*)" |rex mode=sed field=user "s/://g" |rex mode=sed field=objet "s/://g" |rex mode=sed field=process "s/://g" |eval mytime=strftime(_time, "%H:%M") |dedup mytime user objet | eval DATE=strftime(_time, "%d/%m/%y%H:%M") |eval ACCES=case(Keywords="Échec de l’audit", "Accès refusé",Keywords="Succès de l’audit", "Accès autorisé") | table DATE user host objet process ACCES |rename host AS "SERVEUR" user AS "UTILISATEUR" objet AS "RESSOURCE" process AS "PROCESSUS"

Thanks for help

0 Karma

jtrucks
Splunk Employee
Splunk Employee

This is fairly straight forward. Use rex:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Rex

Example from that page:

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

So, yours would be something like:

... | rex field=Message ".*:.*:\s(?<accountname>\w+)\s.*"

I'm fairly sure you need to tweak that regex as I just roughed it out and didn't test it at all, but you ought to get the idea.

--
Jesse Trucks
Minister of Magic

dshpritz
SplunkTrust
SplunkTrust

If this is something that you want done on an ongoing, automatic basis, then you should look into using the SOURCE_KEY attribute in transforms.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Transformsconf

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...