Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract non-blank lines from Windows Event 4738 ?

ttovarzoll
Path Finder
‎02-01-2021 11:39 AM

I am trying to write a Report which queries our Windows Security Event logs for event # 4738, "user account was changed." There is a field, MSADChangedAttribute, which looks like this:

SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	1/26/2021 2:31:01 AM
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		-
	New UAC Value:		-
	User Account Control:	-
	User Parameters:	-
	SID History:		-
	Logon Hours:		-

I want to make the Report more condensed and human-readable by extracting only the lines in that field which do not include "-". I have successfully identified the regex command which does this but I can't figure-out how to write it as a rex extract?

For instance, the following code works on regex101.com to extract a new  'output' field

(?<output>^[^-]*$)

but when I put that into rex it has no result

| rex field=MSADChangedAttribute  max_match=0  "(?<Changed>^[^-]*$)"

(NOTE: I added 'max_match=0' because sometimes there are more than 1 lines with new changes)

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ttovarzoll
Path Finder
‎02-01-2021 03:00 PM

OK, I finally figured it out. I had to make two changes:

  • use regex to replace all line-breaks (\r\n) with a delimiter (***)
  • convert multi-line "MSADChangedAttributes" into a multi-value field

Now my original regex works!

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"
| makemv delim="***" MSADChangedAttributes
| rex field=MSADChangedAttributes  max_match=0  "(?<Changed>^[^-]*$)"

 

View solution in original post

Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎02-01-2021 12:12 PM

I think maybe the issue here is that Splunk is seeing that 'MSADChangedAttribue' as one long string (albeit with a bunch of line-breaks), i.e., there will always be a "-" character somewhere. Instead, maybe I need to break the original field into multiple fields -- so that the regex can evaluate them individually?

0 Karma
Reply
Solved! Jump to solution
Solution

ttovarzoll
Path Finder
‎02-01-2021 03:00 PM

OK, I finally figured it out. I had to make two changes:

  • use regex to replace all line-breaks (\r\n) with a delimiter (***)
  • convert multi-line "MSADChangedAttributes" into a multi-value field

Now my original regex works!

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"
| makemv delim="***" MSADChangedAttributes
| rex field=MSADChangedAttributes  max_match=0  "(?<Changed>^[^-]*$)"

 

Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-20-2023 01:16 AM

Hello ttovarzoll,

Thank you for providing your solutions. Unfortunately it doesn't work in all cases as showed in the following screenshots where the 'User Account Control' is filled. I can image that this is also the case for other fields.

Did you came across this issue and do you perhaps have an solution for this?

 

beechnut_0-1697789578448.png

beechnut_0-1697789995186.png

 

Kind regards,

Jos

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-20-2023 01:52 AM

Try something like this on the original (unedited) field

| rex field=MSADChangedAttributes  max_match=0  "(?m)(?<Changed>^[^-]*$)"
0 Karma
Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-20-2023 07:50 AM

Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault :

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"

It produces an extra "***'  after 'User Account Control:'

beechnut_1-1697812381066.png

So somehow I have to take into account that multiple line-breaks need to be replaced ..

 

SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	-
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		0x210
	New UAC Value:		0x10
	User Account Control:	
		'Don't Expire Password' - Disabled
	User Parameters:	-
	SID History:		-
	Logon Hours:		-

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2023 01:17 AM

As I said, use my rex on the unedited field, i.e. replace the three lines in the solution with just my one line.

0 Karma
Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-21-2023 02:03 AM

Ah oke, I just did that and also this doesn't work as can me seen at: https://regex101.com/r/Papbq3/1

As to make matters worse, the 'User Account Control' field can contain multiple values when you for example disable an account and at the same time enable the ' Don't Expire Password'. 😓 (https://regex101.com/r/OBVqt2/1)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2023 02:22 AM

Please raise a new question detailing your inputs events (examples), expected results and logic used to get the expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...