Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction (regex)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field extraction (regex)
New Policy:
Success Failure
+ + Logon/Logoff
+ - Object Access
+ - Privilege Use
+ + Account Management
+ - Policy Change
+ - System
+ - Detailed Tracking
+ - Directory Service Access
+ + Account Logon
I want to be able to list these in a chart so that it displays the new policy that has changed in each field. I am not sure how to create a regex to generate this type of results. Let me know if more information is needed. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest this:
sourcetype=WinEvent:Security
| rex field=_raw "New Policy: Success Failure (?<newPolicy>.*?)Changed By:"
| eval newPolicies=replace(newPolicy,"([+-] [+-])",":\1")
| eval newPolicies=split(newPolicies,":")
| eval newPolicies=mvfilter(newPolicies!=NULL)
| table EventCode newPolicies
This will give you a multi-valued field (newPolicies) for the policy changes, as well as a single-valued field that is simply the policy change string (newPolicy).
However, you might want to expand this in a different way, depending on the exact reporting that you want.
What sort of reporting do you want to do with this field? Count by policy change? Search for particular changes? Look for various +/- combinations?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you know that a policy field has changed? Is it the + and - ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated the search above, hopefully eliminating the mvfilter error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it says:
Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to list the new policy fields that have changed from the old ones, but i am not sure how i would go about doing that. Thank you for the response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes it is WinEvent:Security
LogName=Security SourceName=Security EventCode=612 EventType=8 Type=Success Audit ComputerName=W573712 User=SYSTEM Sid=S-1-5-18 SidType=1 Category=6 CategoryString=Policy Change RecordNumber=325253 Message=Audit Policy Change: New Policy: Success Failure + + Logon/Logoff - + Object Access - - Privilege Use + + Account Management + - Policy Change + - System - - Detailed Tracking - - Directory Service Access + + Account Logon Changed By: User Name: W57371248$ Domain Name: SERVER Logon ID: (0x0,0x3E7)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the sourcetype? And can you show an example of the data? (I'm guessing that it's the WinEvent:Security, but some folks don't have samples of that data available to them.)
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
