sedcmd with Eventlog

akuzma_2 · ‎07-31-2018

I want to remove lot of rows in windows eventlog.

I tested it on EventCode=4624 - successful login

02/01/2018 09:56:03 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=COMPUTER1
TaskCategory=Logon
OpCode=Info
RecordNumber=1072237543
Keywords=Audit Success ...

but I cannot get it working. I want to use SEDCMD, but before that I tried in search with rex command in sed mode, but something like that:

rex mode=sed "s/(?!Type=\w+).+//g"

got me only one letter "T" as below:

T

What I am doing wrong?

Maybe I should use transforms instead?

FrankVl · ‎07-31-2018

What exactly is your goal? Which part of the message do you want to remove?

Looking at regex101 with your data and regex, it indeed matches everything except that single T: https://regex101.com/r/BoyXLF/1

Looks like your way of using that negative lookahead is incorrect for what you want to accomplish.

akuzma_2 · ‎07-31-2018

I found that it's incorrect, but I does not know how to make it right.

My goal is to remove almost all fields and leave only 3-4 I need.

FrankVl · ‎07-31-2018

If you tell us which fields you want to remove and which you want to keep, we can help you, but if we don't know what exactly you want to remove, it is impossible to suggest another regex.

sedcmd with Eventlog

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Are you a member of the Splunk Community?

sedcmd with Eventlog

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust