Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Combine two Rex fields and get results in a Table

GRC
Path Finder
‎12-10-2021 09:26 PM

Hi there,

I have 2 separate queries that I built using Rex.

1. This query captures the logg on and logg off status of the service.

Query:

index=windows_log host=abc-05-hiddencam logged*

| rex field=_raw  "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

1. Sample Output:

Dec 10 13:35:12 : abc-05-hiddencam successfully logged on

Dec 10 06:19:24 : abc-05-hiddencam successfully logged on

Dec 10 06:17:01 : abc-05-hiddencam logged off

Dec 10 06:11:55 : abc-05-hiddencam logged off

 

2. This query captures the service entering the start or stop status.

Query:

index=windows_log host=abc-05-hiddencam entered*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status

| table "Hidden Cam Monitoring"

 

2. Sample Output:

Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state

Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state

Dec 10 15:28:19 : abc-05-hiddencam service entered the running state

Dec 10 15:28:18 : abc-05-hiddencam service entered the running state

 

My issue is, I want to combine above queries into a single query and get an output in a table as shown below.

3. Expected sample results:

Dec 10 13:35:12 : abc-05-hiddencam successfully logged on

Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state

Dec 10 06:19:24 : abc-05-hiddencam successfully logged on

Dec 10 15:28:18 : abc-05-hiddencam service entered the running state

Dec 10 06:17:01 : abc-05-hiddencam logged off

Dec 10 15:28:19 : abc-05-hiddencam service entered the running state

Dec 10 06:11:55 : abc-05-hiddencam logged off

Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state

( The results are going to be different to above based on the timestamp and the events. What I mean here is the results come mixing together in a single table as and when they take place.)

Thank you heaps in advance. 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2021 10:33 PM

Hi @GRC,

please try something like this:

index=windows_log host=abc-05-hiddencam logged*
| rex "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"
| rex "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"
| eval "Hidden Cam Monitoring" = Date." : ".hostname." ".status
| table "Hidden Cam Monitoring"

I could be more sure if you could share some sample of both your logs.

Ciao.

Giuseppe

 

0 Karma
Reply

GRC
Path Finder
‎12-11-2021 12:42 AM

Hi @gcusello ,

Thank you for trying to help. However, it did not work. I can provide you some sample log data for both so it is easy to understand what I am trying to achieve. Please feel free to rename the fields (date, hostname, status) in my regex when combining the queries so it does not confuse Splunk.

Query 1:

index=windows_log host=abc-05-hiddencam logged*

| rex field=_raw  "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

Sample Data:

Dec 11 13:35:05 abc-05-hiddencam EventLog#0111#011Security#011618268#011Sat Dec 11 13:35:03 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on.    SubjectPackage Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is

Dec 11 13:30:34 abc-05-hiddencam EventLog#0111#011Security#011618223#011Sat Dec 11 13:30:31 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on.    Subject:

Dec 10 06:11:55 abc-05-hiddencam EventLog#0111#011Security#011616614#011Fri Dec 10 06:11:52 2021#0114634#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\operations#011N/A#011Success Audit#011abc-05-hiddencam#011Logoff#011#011An account was logged off.    Subject

 

Query 2:

index=windows_log host=abc-05-hiddencam entered*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

Sample Data:

Dec 11 19:10:38 abc-05-hiddencam EventLog#0111#011System#0119#011Sat Dec 11 19:10:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.#01175830

Dec 11 18:55:46 abc-05-hiddencam EventLog#0111#011System#011618596#011Sat Dec 11 18:55:46 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The Google Update Service (gupdate) service entered the stopped state.#01175829

Dec 11 18:52:38 abc-05-hiddencam EventLog#0111#011System#011618594#011Sat Dec 11 18:52:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.#01175828

Thank you so much for your help.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...