Splunk Search

Extract multiple lines from search output

kkossery
Communicator

Experts,

I have a Event Log output using the search string

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"

The output would be, after truncating it,

10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success

etc. for each event code ID.

I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,

(?<EveID>EventCode\S+)

That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.

Thank you.

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.

kkossery
Communicator

Thank richgalloway. How do we also add

TaskCategory=Computer Account Management

to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma

MuS
SplunkTrust
SplunkTrust

or to answer the question how to get the nth line...try this:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))" 
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))" 
| table EveID,ComputerName

cheers, MuS

0 Karma

kkossery
Communicator

Thanks MuS. I'll use your output too on a different problem.

0 Karma

MuS
SplunkTrust
SplunkTrust

What is the expected result of line 4 and line 7? Should line 4 be ComputerName and line 7 RecordNumber ? I'm asking because EventCode is not line 1....

0 Karma

kkossery
Communicator

Sorry about that. Expected result should be,

Time    EveID                                  ComputerName         
_time   Event Code=4742              MyHost.com
_time   Event Code=4772              MyHost2.com

etc..

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...