I don't know why I'm finding it so hard, but I want to put the accessess from Windows Event 5145 into a multivalued field and I just can't seem to figure it out.
By default, Splunk just assigns the first value.
So I've been trying to work with this
| rex "Accesses:[\s]+(?<AccessList>[^v]*)[\v]+Access Check Results:"
04/25/2022 01:23:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=test.act.root
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=984613134
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: S-1-5-99-99999999-999999999-999999999-99999
Account Name: XXXX
Account Domain: act
Logon ID: 0x999999
Network Information:
Object Type: File
Source Address: 10.1.1.100
Source Port: 60000
Share Information:
Share Name: \\fileshare\file.xxx
Share Path: \??\O:\Shared\fileshare\file.xxx
Relative Target Name: target\share
Access Request Information:
Access Mask: 0x100081
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
Access Check Results:
That appears to return the following in AccessList
SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
Are you wanting to turn that into an MV field?
You could add this to clean up the data
| eval AccessList=trim(split(replace(AccessList, "\n", "_"), "_"))
| eval AccessList=mvfilter(len(AccessList)>0)
That appears to return the following in AccessList
SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
Are you wanting to turn that into an MV field?
You could add this to clean up the data
| eval AccessList=trim(split(replace(AccessList, "\n", "_"), "_"))
| eval AccessList=mvfilter(len(AccessList)>0)
I guess that works. Funny because my rex has an error. I didn't mean to look for "not v" I'd been trying to say not vertical space
[^\v]*
but it does still work to do what you suggested. Thanks!