Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data Extraction from Winevent XML

pirsa
Explorer
‎04-18-2021 07:50 PM

Howdy Guys,

We were getting windows event Application logs through, with a simple stanza previously, that would be whitelisting only the 11707 event. The data was coming through in non xml, and was rather clean when searching for these events in Splunk.

However, recently we deployed the "Splunk_TA_windows" to all desktops, which included the Windows Application win event logs, but this is sending them in XML format.  This is ok, as I believe this is preferred for licensing/ingestion in splunk, but it now means one of our simple reports no longer is working as the fields it as looking for are no longer there (Windows TA seems to be taking over the previous simple app 11707 event  ingestion)

It appears the TA does not extract anything out from the <EventData></EventData> just only grabs the whole block, however I am interested in getting the "Product:" from that block.
Sample data:

 

 

 

 

 

 

<EventData><Data>Product: Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B31443845363239312D423044352D333545432D383434312D3636313646353637413046377D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 21.012.27402.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B42423130324541442D453133362D343946382D384645312D4138383831373442364646397D</Binary></EventData></Event>
<EventData><Data>Product: Surface Pro Update 19.092.25297.0 (64 bit) -- Installation completed successfully.</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data>(NULL)</Data><Data></Data><Binary>7B36363938354431392D323831452D343736442D394242452D3645453944464131413433387D</Binary></EventData></Event>

 

 

 

 

 

 

 

Given I suck at REGEX, how could I extract "Product:*" from the above events? so I could add it to a local/transforms.conf to extract the string I need?

[product_string_for_11707_events]
REGEX = ??????
FORMAT = product::"$1"

Any and all assistance appreciated.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...