Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter WinEventLog using SEDCMD?

DanAlexander
Communicator
‎06-13-2023 03:01 PM

Hello, community,

I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe

There is an excerpt from the log:

 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Can anyone help me create the appropriate regex I can use within the SEDCMD?

After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>

Thank you!

0 Karma
Reply

yeahnah
Motivator
‎06-13-2023 05:01 PM

Hi @DanAlexander 

Here's a run anywhere SPL example to get you started...

| makeresults
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>"
| rex mode=sed "s#(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)#\2\4#"

 You should be able to put the final sed command into your props.conf SEDCMD.  No double quotes needed.  Also note, I used colon as separator instead of usual forward slash so the other forward slashes did not need escaping.

Hope that helps 

0 Karma
Reply

DanAlexander
Communicator
‎06-14-2023 02:19 AM

Thanks for the reply @yeahnah 

Should the SED look something like this under the stanza?

[WinEventLog]

SEDCMD=s/(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)/\2\4/g

0 Karma
Reply

yeahnah
Motivator
‎06-14-2023 08:44 PM

Hi Dan

In props.conf on your heavy forwarder (or indexer) tier do something like this...   

[WinEventLog]
SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g

As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data.  This is very important, otherwise the sed syntax will be invalid.  Also note, give the SEDCMD a label, which can be whatever you like.  

Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype.

You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking. 

yeahnah_0-1686800622016.png

Hope that helps

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...