Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Take only selected parts of a Windows Event Log

mooree
Path Finder
‎11-09-2017 07:18 AM

Windows event logs have a habit of repeating key/value pairs e.g. 

11/08/2017 02:29:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=server.emea.company.loc
TaskCategory=Logon
OpCode=Info
RecordNumber=178069065
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        S-1-5-21-1234567-3099065758-1111111111-222222
    Account Name:       username
    Account Domain:     DOMAIN
    Logon ID:       0x57203C56
    Logon GUID:     {2E25E5E0-50D0-A3D5-9757-339CB370EF0D}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: 6.7.8.9
    Source Port:        49329

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

where "Security ID", "Account name" and "Account Domain" are repeated under "Subject" and under "new Logon"

is there an easy way to construct a pre-index transform that finds the stanzas 

Security ID:        S-1-0-0
Account Name:       -
Account Domain:     -
Logon ID:       0x0

and just chops it out and leaves only the "before" and "after" to be indexed?
Thanks

0 Karma
Reply

maciep
Champion
‎11-09-2017 06:45 PM

You might have a look at the SEDCMD-class setting in props.conf. I think you should be able to find that pattern and replace it nothing before indexed.

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Top