Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I specify results from a log where fields repeat with different values?

BlackZao
Explorer
‎06-10-2013 07:49 AM

I am trying to create a visualization of a search that I am performing which brings up Security Audit log files that look like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=(domain.controller)
TaskCategory=User Account Management
OpCode=Info
RecordNumber=(look! A number!)
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        (Domain)\(System Account)
    Account Name:       (System Account)
    Account Domain:     (Domain)
    Logon ID:       (A hex string appears!)

New Account:
    Security ID:        (Domain)\(New User ID)
    Account Name:       (New User ID)
    Account Domain:     (Domain)

What I am trying to do is specify that I want the Account Name fields listed in two separate columns of a table, one column for the Subject: Account Name: and one for New Account: Account Name: to show what accounts created what accounts over time. The problem is that the search just sees Account Name twice and aggregates it all into one field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New

View solution in original post

Reply
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New
Reply
Solved! Jump to solution

BlackZao
Explorer
‎06-10-2013 08:50 AM

Absolutely perfect, thank you!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-10-2013 08:13 AM

You can use the mvindex() function in eval to get to the second one, which is what I suspect you want. 

sourcetype=WinEventLog:Security EventCode=4720 | eval New_Account_Name = mvindex(Account_Name,1) | the rest of your search

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

/K

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...