Getting Data In

How to filter WinEventLog using SEDCMD?

DanAlexander
Communicator

Hello, community,

I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe

There is an excerpt from the log:

 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Can anyone help me create the appropriate regex I can use within the SEDCMD?

After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>

Thank you!

0 Karma

yeahnah
Motivator

Hi @DanAlexander 

Here's a run anywhere SPL example to get you started...

| makeresults
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>"
| rex mode=sed "s#(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)#\2\4#"

 You should be able to put the final sed command into your props.conf SEDCMD.  No double quotes needed.  Also note, I used colon as separator instead of usual forward slash so the other forward slashes did not need escaping.

Hope that helps 

0 Karma

DanAlexander
Communicator

Thanks for the reply @yeahnah 

Should the SED look something like this under the stanza?

[WinEventLog]

SEDCMD=s/(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)/\2\4/g

0 Karma

yeahnah
Motivator

Hi Dan

In props.conf on your heavy forwarder (or indexer) tier do something like this...   

[WinEventLog]
SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g

As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data.  This is very important, otherwise the sed syntax will be invalid.  Also note, give the SEDCMD a label, which can be whatever you like.  

Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype.

You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking. 

yeahnah_0-1686800622016.png

Hope that helps

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...