Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract info from the middle of the multi line error message

SaqibRaheem
New Member
‎02-20-2020 08:54 PM

For this use case see the message below we like to extract is .

I can extract this 1st part ok but can not extract the 2nd part

Needed information from Event ID message:

Ist part
--Header--- --Data Results --
Account Name: test01
New Process Name: C:\Program Files\WinZip\Utils
ComputerName= server001

2nd Part
This is the only information we need from the multi line error message

Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP

===================================

See Event ID error below as an example:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4888
EventType=0
Type=Information
ComputerName= server001
TaskCategory=Process Creation
OpCode=Info
RecordNumber=934605653
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: test01
Account Domain: Test
Logon ID: 12345test

Target Subject:
Security ID: NULL SID
Account Name: Test
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0x2030
New Process Name: C:\Program Files\etc\zip.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0ss0x

Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3

Tags (1)
0 Karma
Reply

SaqibRaheem
New Member
‎02-21-2020 10:12 AM

Hello,

Thanks for you help
I tried the regex code but not returning the desire result if will be nice if we can do via regex

This give back all the information
index="wineventlog" EventCode=2889

when I add the regex to this still the same info not sure if this makes the difference all the information is

under "Message" field we just need to pull from Message and one "ComputerName= server001" field from top

1st line is header and below will be data
Client IP address: Identity the client attempted to authenticate as: ComputerName

10.10.00.10 Test\SVC_testLDAP server001

Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3

else i will try Splunk Filed Extraction

thanks again for help

0 Karma
Reply

gaurav_maniar
Builder
‎02-21-2020 03:22 AM

Hi,

In your case, you have write field extraction regex for the client_ip and user_id fields.
Check the attached screenshot, if you want field extraction like that append your query with the below code,

| rex field=_raw "Client IP address:\s(?<client_ip>[\d\.\:]+)[\s\w]+\:\s(?<user_id>[^\s]+)"

If these fields are used very often, instead of extracting them at rum time with query, you can use Splunk Filed Extraction utility to automatic field extraction.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/ExtractfieldsinteractivelywithIFX

accept & up vote the answer if it helps.
alt text

Preview file
65 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...