Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Take only selected parts of a Windows Event Log

mooree
Path Finder
‎11-09-2017 07:18 AM

Windows event logs have a habit of repeating key/value pairs e.g. 

11/08/2017 02:29:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=server.emea.company.loc
TaskCategory=Logon
OpCode=Info
RecordNumber=178069065
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        S-1-5-21-1234567-3099065758-1111111111-222222
    Account Name:       username
    Account Domain:     DOMAIN
    Logon ID:       0x57203C56
    Logon GUID:     {2E25E5E0-50D0-A3D5-9757-339CB370EF0D}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: 6.7.8.9
    Source Port:        49329

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

where "Security ID", "Account name" and "Account Domain" are repeated under "Subject" and under "new Logon"

is there an easy way to construct a pre-index transform that finds the stanzas 

Security ID:        S-1-0-0
Account Name:       -
Account Domain:     -
Logon ID:       0x0

and just chops it out and leaves only the "before" and "after" to be indexed?
Thanks

0 Karma
Reply

maciep
Champion
‎11-09-2017 06:45 PM

You might have a look at the SEDCMD-class setting in props.conf. I think you should be able to find that pattern and replace it nothing before indexed.

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...