Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a field with a NULL/blank value

HunterJD
New Member
‎11-15-2019 01:47 PM

I am working with winevent logs for failed logons (Event 4625) and I have a log that has null/blank values for Account and Domain. When I try to extract the field I can see in the IFX that it is being grabbed as what seems to be a null/blank value using my regex below. When I save the extraction all of the other fields I am extracting works but the Account and Domain field are not being assigned a value of anything and not showing up as an extracted field. My question is how do I extract a null/blank value from a log and have Splunk still recognize it as a field with a null/blank value.

The regex I am using is:

(?s)EventCode=4625.+?ComputerName=(?[^\s]+).+?Logon Type:\s+(?\d).+?Account Name:\s+(?[^\r\n])\sAccount Domain:\s+(?[^\r\n])(Failure Reason:).+?Caller Process Name:\s+(?[^\s]+).+?Workstation Name:\s+(?[^\s]+).+?Source Network Address:\s+(?[^\s]+).+?Source Port:\s+(?[^\s]+)

The log looks like this:

11/15/2019 12:36:54 PM
EventCode=4625
ComputerName=somehost
Message=An account failed to log on.
Security ID: DOMAIN\someuser
Account Name: someuser
Account Domain: DOMAIN
Logon ID: 0x0000000
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:

Account Domain:

Failure Reason: An Error occured during Logon.
Status: 0x00000000
Sub Status: 0x0
Caller Process ID: 0x0000
Caller Process Name: C:\Windows\System32\someprocess.exe
Workstation Name: somehost
Source Network Address: -
Source Port: -

0 Karma
Reply

woodcock
Esteemed Legend
‎11-16-2019 06:37 PM

Splunk treats truly null fields as through they do not exist at all. You can counteract this after the fact with the fillnull and filldown commands to replace the null/empty field values with placeholder values like the string "null" or anything else.

Reply

Sukisen1981
Champion
‎11-16-2019 12:03 AM

So,i tested with this

   |makeresults | eval text="EventCode=4625
    ComputerName=somehost
    Message=An account failed to log on.
    Security ID: DOMAIN\someuser
    Account Name: someuser
    Account Domain: DOMAIN
    Logon ID: 0x0000000
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:
    Failure Reason: An Error occured during Logon.
    Status: 0x00000000
    Sub Status: 0x0
    Caller Process ID: 0x0000
    Caller Process Name: C:\Windows\System32\someprocess.exe
    Workstation Name: somehost
    Source Network Address: -
    Source Port: -"|rex field=text "Account Name\:+(?<accname>.*)"|table accname

I receive accname as someuser, and then i test like this

|makeresults | eval text="EventCode=4625
ComputerName=somehost
Message=An account failed to log on.
Security ID: DOMAIN\someuser
Account Name:
Account Domain: DOMAIN
Logon ID: 0x0000000
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Reason: An Error occured during Logon.
Status: 0x00000000
Sub Status: 0x0
Caller Process ID: 0x0000
Caller Process Name: C:\Windows\System32\someprocess.exe
Workstation Name: somehost
Source Network Address: -
Source Port: -"|rex field=text "Account Name\:+(?<accname>.*)"|table accname

I still gt accname extracted as null
As long as you have the identifier Account Name and Account Domain, even if their value is null, regex will extract those fields.
Are you saying there are some logs where the field name Account Name itself is missing?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...