Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the fields from Message in WinEventLog?

danielbb
Motivator
‎03-30-2021 09:31 AM

We are trying to to extract the fields from Message in WinEventLog in the Avecto data.

The data looks like -

 

 Process Id: 21592
 Parent Process Id: 24704
 Workstyle: Avecto Defendpoint.Systems Employees
 Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications
 Reason: <None>
 File Name: <file name>
 Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC
 Certificate: <name>
 Description: Command line runner
 Application Type: exe
 Product Name: IntelliJ Platform
 Product Code: <None>
 Upgrade Code: <None>
 ....

 

Each line in Message has a name value pair, separated by a colon.

The documentation at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex shows -

 

| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

 

which works.

The similar one I did for Avecto works fine -

 

index = <avecto index> Message=* 
| rex field=Message max_match=0 "((?<field>.+)\:(?<value>.+),?)" 
| table Message field value

 

We end up with field a and value, each is a multi-value field.

Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:43 AM 
| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

| eval fieldvalue=mvzip(field,value,"=")
| mvexpand fieldvalue
| eval field=mvindex(split(fieldvalue,"="),0)
| eval value=mvindex(split(fieldvalue,"="),1)
| eval {field}=value
| fields - field value fieldvalue test

This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
li.common.scroll-to.top