Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract multiple lines from search output
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kkossery
Communicator
10-23-2014
05:26 AM
Experts,
I have a Event Log output using the search string
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
The output would be, after truncating it,
10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success
etc. for each event code ID.
I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,
(?<EveID>EventCode\S+)
That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
10-23-2014
05:59 AM
Something like this might do the job:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
10-23-2014
05:59 AM
Something like this might do the job:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kkossery
Communicator
10-23-2014
06:21 AM
Thank richgalloway. How do we also add
TaskCategory=Computer Account Management
to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
10-23-2014
06:32 AM
I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-23-2014
06:03 AM
or to answer the question how to get the nth line...try this:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))"
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))"
| table EveID,ComputerName
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kkossery
Communicator
10-23-2014
06:55 AM
Thanks MuS. I'll use your output too on a different problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-23-2014
05:45 AM
What is the expected result of line 4 and line 7? Should line 4 be ComputerName and line 7 RecordNumber ? I'm asking because EventCode is not line 1....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kkossery
Communicator
10-23-2014
05:52 AM
Sorry about that. Expected result should be,
Time EveID ComputerName
_time Event Code=4742 MyHost.com
_time Event Code=4772 MyHost2.com
etc..
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
