Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract multiple lines from search output

kkossery
Communicator
‎10-23-2014 05:26 AM

Experts,

I have a Event Log output using the search string

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"

The output would be, after truncating it,

10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success

etc. for each event code ID.

I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,

(?<EveID>EventCode\S+)

That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.

Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2014 05:59 AM

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2014 05:59 AM

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kkossery
Communicator
‎10-23-2014 06:21 AM

Thank richgalloway. How do we also add 

TaskCategory=Computer Account Management

to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2014 06:32 AM

I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-23-2014 06:03 AM

or to answer the question how to get the nth line...try this:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))" 
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))" 
| table EveID,ComputerName

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

kkossery
Communicator
‎10-23-2014 06:55 AM

Thanks MuS. I'll use your output too on a different problem.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-23-2014 05:45 AM

What is the expected result of line 4 and line 7? Should line 4 be ComputerName and line 7 RecordNumber ? I'm asking because EventCode is not line 1....

0 Karma
Reply
Solved! Jump to solution

kkossery
Communicator
‎10-23-2014 05:52 AM

Sorry about that. Expected result should be,

Time    EveID                                  ComputerName         
_time   Event Code=4742              MyHost.com
_time   Event Code=4772              MyHost2.com

etc..

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...