Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the fields from Message in WinEventLog?

danielbb
Motivator
‎03-30-2021 09:31 AM

We are trying to to extract the fields from Message in WinEventLog in the Avecto data.

The data looks like -

 

 Process Id: 21592
 Parent Process Id: 24704
 Workstyle: Avecto Defendpoint.Systems Employees
 Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications
 Reason: <None>
 File Name: <file name>
 Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC
 Certificate: <name>
 Description: Command line runner
 Application Type: exe
 Product Name: IntelliJ Platform
 Product Code: <None>
 Upgrade Code: <None>
 ....

 

Each line in Message has a name value pair, separated by a colon.

The documentation at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex shows -

 

| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

 

which works.

The similar one I did for Avecto works fine -

 

index = <avecto index> Message=* 
| rex field=Message max_match=0 "((?<field>.+)\:(?<value>.+),?)" 
| table Message field value

 

We end up with field a and value, each is a multi-value field.

Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:43 AM 
| makeresults 
| eval test="a$1,b$2"
| rex field=test max_match=0 "((?<field>[^$]*)\$(?<value>[^,]*),?)"

| eval fieldvalue=mvzip(field,value,"=")
| mvexpand fieldvalue
| eval field=mvindex(split(fieldvalue,"="),0)
| eval value=mvindex(split(fieldvalue,"="),1)
| eval {field}=value
| fields - field value fieldvalue test

This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...