Re: How to extract a field with a NULL/blank value

HunterJD · ‎11-15-2019

I am working with winevent logs for failed logons (Event 4625) and I have a log that has null/blank values for Account and Domain. When I try to extract the field I can see in the IFX that it is being grabbed as what seems to be a null/blank value using my regex below. When I save the extraction all of the other fields I am extracting works but the Account and Domain field are not being assigned a value of anything and not showing up as an extracted field. My question is how do I extract a null/blank value from a log and have Splunk still recognize it as a field with a null/blank value.

The regex I am using is:

(?s)EventCode=4625.+?ComputerName=(?[^\s]+).+?Logon Type:\s+(?\d).+?Account Name:\s+(?[^\r\n])\sAccount Domain:\s+(?[^\r\n])(Failure Reason:).+?Caller Process Name:\s+(?[^\s]+).+?Workstation Name:\s+(?[^\s]+).+?Source Network Address:\s+(?[^\s]+).+?Source Port:\s+(?[^\s]+)

The log looks like this:

11/15/2019 12:36:54 PM
EventCode=4625
ComputerName=somehost
Message=An account failed to log on.
Security ID: DOMAIN\someuser
Account Name: someuser
Account Domain: DOMAIN
Logon ID: 0x0000000
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:

Account Domain:

Failure Reason: An Error occured during Logon.
Status: 0x00000000
Sub Status: 0x0
Caller Process ID: 0x0000
Caller Process Name: C:\Windows\System32\someprocess.exe
Workstation Name: somehost
Source Network Address: -
Source Port: -

woodcock · ‎11-16-2019

Splunk treats truly null fields as through they do not exist at all. You can counteract this after the fact with the fillnull and filldown commands to replace the null/empty field values with placeholder values like the string "null" or anything else.

Sukisen1981 · ‎11-16-2019

So,i tested with this

   |makeresults | eval text="EventCode=4625
    ComputerName=somehost
    Message=An account failed to log on.
    Security ID: DOMAIN\someuser
    Account Name: someuser
    Account Domain: DOMAIN
    Logon ID: 0x0000000
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:
    Failure Reason: An Error occured during Logon.
    Status: 0x00000000
    Sub Status: 0x0
    Caller Process ID: 0x0000
    Caller Process Name: C:\Windows\System32\someprocess.exe
    Workstation Name: somehost
    Source Network Address: -
    Source Port: -"|rex field=text "Account Name\:+(?<accname>.*)"|table accname

I receive accname as someuser, and then i test like this

|makeresults | eval text="EventCode=4625
ComputerName=somehost
Message=An account failed to log on.
Security ID: DOMAIN\someuser
Account Name:
Account Domain: DOMAIN
Logon ID: 0x0000000
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Reason: An Error occured during Logon.
Status: 0x00000000
Sub Status: 0x0
Caller Process ID: 0x0000
Caller Process Name: C:\Windows\System32\someprocess.exe
Workstation Name: somehost
Source Network Address: -
Source Port: -"|rex field=text "Account Name\:+(?<accname>.*)"|table accname

I still gt accname extracted as null
As long as you have the identifier Account Name and Account Domain, even if their value is null, regex will extract those fields.
Are you saying there are some logs where the field name Account Name itself is missing?

How to extract a field with a NULL/blank value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!