Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Take only selected parts of a Windows Event Log
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take only selected parts of a Windows Event Log
mooree
Path Finder
11-09-2017
07:18 AM
Windows event logs have a habit of repeating key/value pairs e.g.
11/08/2017 02:29:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=server.emea.company.loc
TaskCategory=Logon
OpCode=Info
RecordNumber=178069065
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1234567-3099065758-1111111111-222222
Account Name: username
Account Domain: DOMAIN
Logon ID: 0x57203C56
Logon GUID: {2E25E5E0-50D0-A3D5-9757-339CB370EF0D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 6.7.8.9
Source Port: 49329
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
where "Security ID", "Account name" and "Account Domain" are repeated under "Subject" and under "new Logon"
is there an easy way to construct a pre-index transform that finds the stanzas
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
and just chops it out and leaves only the "before" and "after" to be indexed?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
11-09-2017
06:45 PM
You might have a look at the SEDCMD-class setting in props.conf. I think you should be able to find that pattern and replace it nothing before indexed.
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
card or social security numbers. For more information, search the online
documentation for "anonymize data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the
following subset of sed commands is supported:
* replace (s) and character substitution (y).
* Syntax:
* replace - s/regex/replacement/flags
* regex is a perl regular expression (optionally containing capturing
groups).
* replacement is a string to replace the regex match. Use \n for back
references, where "n" is a single digit.
* flags can be either: g to replace all matches, or a number to
replace a specified match.
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]
Get Updates on the Splunk Community!
Bridging the Gap: Splunk Helps Students Move from Classroom to Career
The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
Unleash Unified Security and Observability with Splunk Cloud Platform
Now Available on Microsoft AzureThursday, March 27, 2025 | 11AM PST / 2PM EST | Register NowStep boldly ...
