Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data Extraction from Winevent XML

pirsa
Explorer
‎04-18-2021 07:50 PM

Howdy Guys,

We were getting windows event Application logs through, with a simple stanza previously, that would be whitelisting only the 11707 event. The data was coming through in non xml, and was rather clean when searching for these events in Splunk.

However, recently we deployed the "Splunk_TA_windows" to all desktops, which included the Windows Application win event logs, but this is sending them in XML format.  This is ok, as I believe this is preferred for licensing/ingestion in splunk, but it now means one of our simple reports no longer is working as the fields it as looking for are no longer there (Windows TA seems to be taking over the previous simple app 11707 event  ingestion)

It appears the TA does not extract anything out from the <EventData></EventData> just only grabs the whole block, however I am interested in getting the "Product:" from that block.
Sample data:

 

 

 

 

 

 

<EventData><Data>Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B31443845363239312D423044352D333545432D383434312D3636313646353637413046377D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 21.012.27402.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B42423130324541442D453133362D343946382D384645312D4138383831373442364646397D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 19.092.25297.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B36363938354431392D323831452D343736442D394242452D3645453944464131413433387D</Binary></EventData></Event>

 

 

 

 

 

 

 

Given I suck at REGEX, how could I extract "Product:*" from the above events? so I could add it to a local/transforms.conf to extract the string I need?

[product_string_for_11707_events]
REGEX = ??????
FORMAT = product::"$1"

Any and all assistance appreciated.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...