Getting Data In

Parsing NetIQ DRA data from Windows Application Event Log


I have some entries in WinEventLog://Application coming from NetIQ DRA. I couldn't find any add-ons for DRA on Splunkbase, so I'm reaching out for guidance on how to identify KV pairs within the Message field and extract them.

I can see that OOTB, Splunk has configs in etc/system/local/props.conf and transforms.conf that will extract KV pairs delimited by "=" or ":". In this case, the segregation is by spaces and/or tabs, and some of the keys (field names) have spaces as well, so I have to intelligently identify which portions are fields and which portions are values.

Compounding the issue is that some keys and values are on separate lines; for example, take a look at TransactionID and its value in my sample event. I also need to account for the potential of a field containing multiple values, such as "Member Added".

Any hints or guidance would be greatly appreciated.

Message=Action                   MemberAdd
ObjectType        Group
AssistantAdmin DOMAIN\joeblow-a
Target                   DOMAIN\LA.SVC
Domain Controller           SERVERNAME006
UTC Date
                                Wednesday, November 14, 2018
UTC Time
                                3:19:16 PM
                OnePoint             OnePoint://CN=Admin\, Joe Blow,OU=Admin,OU=IT,OU=Users,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
Member Added
                OnePoint                OnePoint://CN=SERVER603,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
                OnePoint                OnePoint://CN=SERVER604,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
                OnePoint                OnePoint://CN=LA.SVC,OU=Prod,OU=Roles,OU=Security,OU=Groups,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
Sequence Number
ReturnCode       0x0
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...