Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Multiline events with fields with same name (Windows 2008 logs)

bojanz
Communicator
‎08-30-2010 10:34 AM

With Windows 2008 (and Vista) event logs are now much more detailed, however there are some problems with multiple fields which have same names, for example like this:

Subject:  
    Security ID:        S-1-5-18  
    Account Name:       CALLISTO$  
    Account Domain:     DEMO  
    Logon ID:       0x3e7  

Logon Type:         10  

Account For Which Logon Failed:  
    Security ID:        S-1-0-0  
    Account Name:       Administrator  
    Account Domain:     DEMO

Now, I want to extract only the second "Account Name" field. Splunk automatically extracts both of them, but I want to graph only the second. Any idea how to do it on multiline events like this? I tried with rex and regex but with no success 😞

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 01:18 PM

You may be able to prevent splunk from extracting the first value, but there may be times when you'll want the first value but not the second. So perhaps an easier way would be to tell splunk just to grab that second value for your search. Since you always know that you want the second value, you can use an eval statement in your search like this:

sourcetype=WinEventLog:Security "Logon Failed" | eval login_account=mvindex(Account_Name,1) | timechart count by login_account

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 01:18 PM

You may be able to prevent splunk from extracting the first value, but there may be times when you'll want the first value but not the second. So perhaps an easier way would be to tell splunk just to grab that second value for your search. Since you always know that you want the second value, you can use an eval statement in your search like this:

sourcetype=WinEventLog:Security "Logon Failed" | eval login_account=mvindex(Account_Name,1) | timechart count by login_account
Reply
Solved! Jump to solution

bapruski
Explorer
‎05-15-2012 08:05 AM

How would you evaluate the Account_Name if in some cases it has only one value (event 4768, 4769) and in some it has two (event 4624)?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...