I have some entries in WinEventLog://Application coming from NetIQ DRA. I couldn't find any add-ons for DRA on Splunkbase, so I'm reaching out for guidance on how to identify KV pairs within the Message field and extract them.
I can see that OOTB, Splunk has configs in etc/system/local/props.conf and transforms.conf that will extract KV pairs delimited by "=" or ":". In this case, the segregation is by spaces and/or tabs, and some of the keys (field names) have spaces as well, so I have to intelligently identify which portions are fields and which portions are values.
Compounding the issue is that some keys and values are on separate lines; for example, take a look at TransactionID and its value in my sample event. I also need to account for the potential of a field containing multiple values, such as "Member Added".
Any hints or guidance would be greatly appreciated.
Domain Controller SERVERNAME006
Member Added DOMAIN\SERVERNAME603$
Member Added DOMAIN\SERVERNAME604$
Wednesday, November 14, 2018
OnePoint OnePoint://CN=Admin\, Joe Blow,OU=Admin,OU=IT,OU=Users,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org