Developing for Splunk Enterprise

How to extract the fields from Message in WinEventLog?

danielbb
Motivator

We are trying to to extract the fields from Message in WinEventLog in the Avecto data.

The data looks like -

 

 Process Id: 21592
 Parent Process Id: 24704
 Workstyle: Avecto Defendpoint.Systems Employees
 Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications
 Reason: <None>
 File Name: <file name>
 Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC
 Certificate: <name>
 Description: Command line runner
 Application Type: exe
 Product Name: IntelliJ Platform
 Product Code: <None>
 Upgrade Code: <None>
 ....

 

Each line in Message has a name value pair, separated by a colon.

The documentation at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex shows -

 

| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

 

which works.

The similar one I did for Avecto works fine -

 

index = <avecto index> Message=* 
| rex field=Message max_match=0 "((?<field>.+)\:(?<value>.+),?)" 
| table Message field value

 

We end up with field a and value, each is a multi-value field.

Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.

 

 

 

 

 

 

Labels (1)
Tags (1)
0 Karma

ITWhisperer
Ultra Champion
| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

| eval fieldvalue=mvzip(field,value,"=")
| mvexpand fieldvalue
| eval field=mvindex(split(fieldvalue,"="),0)
| eval value=mvindex(split(fieldvalue,"="),1)
| eval {field}=value
| fields - field value fieldvalue test

This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.

0 Karma