Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Extracting multiple values in a Splunk Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far:
sourcetype=wineventlog EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} "
Please help me fix this search.*
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=gghasfv.net
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=0000000
Keywords=Audit Success
Message=An operation was performed on an object.
Subject :
Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000
Account Name: NAME$
Account Domain: GOAL
Logon ID: GOAL
Object:
Object Server: DS
Object Type: %{0000000-0000-0000-0000-000000000000}
Object Name: %{0000000-0000-0000-0000-000000000000}
Handle ID:
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: Control Access
{0000000-0000-0000-0000-000000000000}
{0000000-0000-0000-0000-000000000000}
Additional Information:
Parameter 1:
Parameter 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reference:
DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9
cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters
your search
| rex max_match=0 "[^%](?<guid>{.*})"
try rex max_match . this command exclude Object Type and Object Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reference:
DS-Install-Replica 9923a32a-3607-11d2-b9be-0000f87a36b2
DS-Replication-Manage-Topology 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9
cf. https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters
your search
| rex max_match=0 "[^%](?<guid>{.*})"
try rex max_match . this command exclude Object Type and Object Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my updated search. It is not filtering the properties.
sourcetype=wineventlog (EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY" Account_Domain!="Window Manager") | rex max_match=0 "^%" | search (guid="{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR guid = "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR guid = "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guid is multivalue. search can't work.
sourcetype=wineventlog ("{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") (EventCode="4662" OR EventCode="4624")
How is this?
I guess if extra results appear, useNOT
you can do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works fine but it slow. Is there away it can be accelerated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) can use on same way.It will be faster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is properly structured xml or json just use mvexpand on your multi-value field. You can also pipe that to "search" for a specific value in the MV field.
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand
An upvote would be appreciated and Accept Solution if it helps!
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
October Community Champions: A Shoutout to Our Contributors!
