Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the fields from Message in WinEventLog?

danielbb
Motivator
‎03-30-2021 09:31 AM

We are trying to to extract the fields from Message in WinEventLog in the Avecto data.

The data looks like -

 

 Process Id: 21592
 Parent Process Id: 24704
 Workstyle: Avecto Defendpoint.Systems Employees
 Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications
 Reason: <None>
 File Name: <file name>
 Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC
 Certificate: <name>
 Description: Command line runner
 Application Type: exe
 Product Name: IntelliJ Platform
 Product Code: <None>
 Upgrade Code: <None>
 ....

 

Each line in Message has a name value pair, separated by a colon.

The documentation at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex shows -

 

| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

 

which works.

The similar one I did for Avecto works fine -

 

index = <avecto index> Message=* 
| rex field=Message max_match=0 "((?<field>.+)\:(?<value>.+),?)" 
| table Message field value

 

We end up with field a and value, each is a multi-value field.

Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:43 AM 
| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

| eval fieldvalue=mvzip(field,value,"=")
| mvexpand fieldvalue
| eval field=mvindex(split(fieldvalue,"="),0)
| eval value=mvindex(split(fieldvalue,"="),1)
| eval {field}=value
| fields - field value fieldvalue test

This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...