Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the fields from Message in WinEventLog?

danielbb
Motivator
‎03-30-2021 09:31 AM

We are trying to to extract the fields from Message in WinEventLog in the Avecto data.

The data looks like -

 

 Process Id: 21592
 Parent Process Id: 24704
 Workstyle: Avecto Defendpoint.Systems Employees
 Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications
 Reason: <None>
 File Name: <file name>
 Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC
 Certificate: <name>
 Description: Command line runner
 Application Type: exe
 Product Name: IntelliJ Platform
 Product Code: <None>
 Upgrade Code: <None>
 ....

 

Each line in Message has a name value pair, separated by a colon.

The documentation at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex shows -

 

| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

 

which works.

The similar one I did for Avecto works fine -

 

index = <avecto index> Message=* 
| rex field=Message max_match=0 "((?<field>.+)\:(?<value>.+),?)" 
| table Message field value

 

We end up with field a and value, each is a multi-value field.

Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:43 AM 
| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

| eval fieldvalue=mvzip(field,value,"=")
| mvexpand fieldvalue
| eval field=mvindex(split(fieldvalue,"="),0)
| eval value=mvindex(split(fieldvalue,"="),1)
| eval {field}=value
| fields - field value fieldvalue test

This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top