How to search a Multi line windows event

krusty · ‎04-25-2012

Hi,

I'm trying to search a multiline event from a windows server. I need to find out which changes was made with a file. So I have to parse the Accesses. The field Accesses show me only the first entry but I need them all.
Have you any idea how I can search the events and find out the differnet accesses of a file?

For example an excerpt of the event.

    Accesses:   READ_CONTROL 
        ReadData (or ListDirectory) 
        WriteData (or AddFile) 
        AppendData (or AddSubdirectory or CreatePipeInstance) 
        ReadEA 
        WriteEA 
        ReadAttributes 
        WriteAttributes

At the end of my search I will show a report where I can see which operation will be done with the files. It should shown as a table. But first I have to figure out how to get the values out of the multiline event.

Thanks for your help.

woodcock · ‎07-05-2015

Like this:

... | rex "(?ms)Accesses:\w+(?<MVAccesses>.*)$" | rex field=MVAccesses mode=sed "s/\n/:::/g" | makemv delim=":::" MVAccesses

Now your event contains a multi-value field called MVAccesses and you can do your work with that.

How to search a Multi line windows event

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to search a Multi line windows event

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine