Getting Data In

How to filter WinEventLog using SEDCMD?

DanAlexander
Communicator

Hello, community,

I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe

There is an excerpt from the log:

 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Can anyone help me create the appropriate regex I can use within the SEDCMD?

After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data>

Thank you!

0 Karma

yeahnah
Motivator

Hi @DanAlexander 

Here's a run anywhere SPL example to get you started...

| makeresults
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>"
| rex mode=sed "s#(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)#\2\4#"

 You should be able to put the final sed command into your props.conf SEDCMD.  No double quotes needed.  Also note, I used colon as separator instead of usual forward slash so the other forward slashes did not need escaping.

Hope that helps 

0 Karma

DanAlexander
Communicator

Thanks for the reply @yeahnah 

Should the SED look something like this under the stanza?

[WinEventLog]

SEDCMD=s/(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)/\2\4/g

0 Karma

yeahnah
Motivator

Hi Dan

In props.conf on your heavy forwarder (or indexer) tier do something like this...   

[WinEventLog]
SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g

As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data.  This is very important, otherwise the sed syntax will be invalid.  Also note, give the SEDCMD a label, which can be whatever you like.  

Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype.

You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking. 

yeahnah_0-1686800622016.png

Hope that helps

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...