Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract non-blank lines from Windows Event 4738 ?

ttovarzoll
Path Finder
‎02-01-2021 11:39 AM

I am trying to write a Report which queries our Windows Security Event logs for event # 4738, "user account was changed." There is a field, MSADChangedAttribute, which looks like this:

SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	1/26/2021 2:31:01 AM
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		-
	New UAC Value:		-
	User Account Control:	-
	User Parameters:	-
	SID History:		-
	Logon Hours:		-

I want to make the Report more condensed and human-readable by extracting only the lines in that field which do not include "-". I have successfully identified the regex command which does this but I can't figure-out how to write it as a rex extract?

For instance, the following code works on regex101.com to extract a new  'output' field

(?<output>^[^-]*$)

but when I put that into rex it has no result

| rex field=MSADChangedAttribute  max_match=0  "(?<Changed>^[^-]*$)"

(NOTE: I added 'max_match=0' because sometimes there are more than 1 lines with new changes)

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ttovarzoll
Path Finder
‎02-01-2021 03:00 PM

OK, I finally figured it out. I had to make two changes:

  • use regex to replace all line-breaks (\r\n) with a delimiter (***)
  • convert multi-line "MSADChangedAttributes" into a multi-value field

Now my original regex works!

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"
| makemv delim="***" MSADChangedAttributes
| rex field=MSADChangedAttributes  max_match=0  "(?<Changed>^[^-]*$)"

 

View solution in original post

Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎02-01-2021 12:12 PM

I think maybe the issue here is that Splunk is seeing that 'MSADChangedAttribue' as one long string (albeit with a bunch of line-breaks), i.e., there will always be a "-" character somewhere. Instead, maybe I need to break the original field into multiple fields -- so that the regex can evaluate them individually?

0 Karma
Reply
Solved! Jump to solution
Solution

ttovarzoll
Path Finder
‎02-01-2021 03:00 PM

OK, I finally figured it out. I had to make two changes:

  • use regex to replace all line-breaks (\r\n) with a delimiter (***)
  • convert multi-line "MSADChangedAttributes" into a multi-value field

Now my original regex works!

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"
| makemv delim="***" MSADChangedAttributes
| rex field=MSADChangedAttributes  max_match=0  "(?<Changed>^[^-]*$)"

 

Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-20-2023 01:16 AM

Hello ttovarzoll,

Thank you for providing your solutions. Unfortunately it doesn't work in all cases as showed in the following screenshots where the 'User Account Control' is filled. I can image that this is also the case for other fields.

Did you came across this issue and do you perhaps have an solution for this?

 

beechnut_0-1697789578448.png

beechnut_0-1697789995186.png

 

Kind regards,

Jos

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-20-2023 01:52 AM

Try something like this on the original (unedited) field

| rex field=MSADChangedAttributes  max_match=0  "(?m)(?<Changed>^[^-]*$)"
0 Karma
Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-20-2023 07:50 AM

Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault :

| rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"

It produces an extra "***'  after 'User Account Control:'

beechnut_1-1697812381066.png

So somehow I have to take into account that multiple line-breaks need to be replaced ..

 

SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	-
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		0x210
	New UAC Value:		0x10
	User Account Control:	
		'Don't Expire Password' - Disabled
	User Parameters:	-
	SID History:		-
	Logon Hours:		-

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2023 01:17 AM

As I said, use my rex on the unedited field, i.e. replace the three lines in the solution with just my one line.

0 Karma
Reply
Solved! Jump to solution

beechnut
Loves-to-Learn Everything
‎10-21-2023 02:03 AM

Ah oke, I just did that and also this doesn't work as can me seen at: https://regex101.com/r/Papbq3/1

As to make matters worse, the 'User Account Control' field can contain multiple values when you for example disable an account and at the same time enable the ' Don't Expire Password'. 😓 (https://regex101.com/r/OBVqt2/1)

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2023 02:22 AM

Please raise a new question detailing your inputs events (examples), expected results and logic used to get the expected results.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...