I have some entries in WinEventLog://Application coming from NetIQ DRA. I couldn't find any add-ons for DRA on Splunkbase, so I'm reaching out for guidance on how to identify KV pairs within the Message field and extract them.

I can see that OOTB, Splunk has configs in etc/system/local/props.conf and transforms.conf that will extract KV pairs delimited by "=" or ":". In this case, the segregation is by spaces and/or tabs, and some of the keys (field names) have spaces as well, so I have to intelligently identify which portions are fields and which portions are values.

Compounding the issue is that some keys and values are on separate lines; for example, take a look at TransactionID and its value in my sample event. I also need to account for the potential of a field containing multiple values, such as "Member Added".

Any hints or guidance would be greatly appreciated.

Message=Action                   MemberAdd
ObjectType        Group
AssistantAdmin DOMAIN\joeblow-a
Target                   DOMAIN\LA.SVC
Domain Controller           SERVERNAME006
Member Added DOMAIN\SERVERNAME603$
Member Added DOMAIN\SERVERNAME604$
UTC Date
                                Wednesday, November 14, 2018
UTC Time
                                3:19:16 PM
AssistantAdmin
                OnePoint             OnePoint://CN=Admin\, Joe Blow,OU=Admin,OU=IT,OU=Users,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
Member Added
                OnePoint                OnePoint://CN=SERVER603,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
                OnePoint                OnePoint://CN=SERVER604,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
Target
                OnePoint                OnePoint://CN=LA.SVC,OU=Prod,OU=Roles,OU=Security,OU=Groups,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org
TransactionID
                59E98034949344d98B716B11B00A722D
Sequence Number
                                0
ReturnCode       0x0