Splunk Search

How do I write a search to extract key/value pairs from this Windows Event Log?

New Member

Hi,

I am looking for a search to extract the name/value pair from the below Windows Event logs and in Splunk, the below message is under "events" field,

Successful Logon: User Name: xxxx Domain: xxxx Logon ID: xxx Logon Type: x Logon Process: User32 Authentication Package: Negotiate Workstation Name: xxxx Logon GUID: xxx Caller User Name: xxx Caller Domain: xx Caller Logon ID: xxx Caller Process ID: xxx Transited Services: - Source Network Address: xxx.xxx.xxx.xxx Source Port: xxxx

0 Karma

Esteemed Legend

This is your REGEX:

([^:]+):\s+([^:\s]+)

Do you need help in your *.conf files?

Motivator

Hello! Can you be more specific? please?

0 Karma

New Member

Actually i wanted to extract all the values to a new field name and display in a tabular format like user_name, logon_id, logon_type, logon_process etc...

0 Karma