Getting Data In

Take only selected parts of a Windows Event Log

mooree
Path Finder

Windows event logs have a habit of repeating key/value pairs e.g.

11/08/2017 02:29:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=server.emea.company.loc
TaskCategory=Logon
OpCode=Info
RecordNumber=178069065
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        S-1-5-21-1234567-3099065758-1111111111-222222
    Account Name:       username
    Account Domain:     DOMAIN
    Logon ID:       0x57203C56
    Logon GUID:     {2E25E5E0-50D0-A3D5-9757-339CB370EF0D}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: 6.7.8.9
    Source Port:        49329

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

where "Security ID", "Account name" and "Account Domain" are repeated under "Subject" and under "new Logon"

is there an easy way to construct a pre-index transform that finds the stanzas

Security ID:        S-1-0-0
Account Name:       -
Account Domain:     -
Logon ID:       0x0

and just chops it out and leaves only the "before" and "after" to be indexed?
Thanks

0 Karma

maciep
Champion

You might have a look at the SEDCMD-class setting in props.conf. I think you should be able to find that pattern and replace it nothing before indexed.

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
0 Karma
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...