How to Combine two Rex fields and get results in a...

GRC · ‎12-10-2021

Hi there,

I have 2 separate queries that I built using Rex.

1. This query captures the logg on and logg off status of the service.

Query:

index=windows_log host=abc-05-hiddencam logged*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

1. Sample Output:

Dec 10 13:35:12 : abc-05-hiddencam successfully logged on

Dec 10 06:19:24 : abc-05-hiddencam successfully logged on

Dec 10 06:17:01 : abc-05-hiddencam logged off

Dec 10 06:11:55 : abc-05-hiddencam logged off

2. This query captures the service entering the start or stop status.

Query:

index=windows_log host=abc-05-hiddencam entered*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status

| table "Hidden Cam Monitoring"

2. Sample Output:

Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state

Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state

Dec 10 15:28:19 : abc-05-hiddencam service entered the running state

Dec 10 15:28:18 : abc-05-hiddencam service entered the running state

My issue is, I want to combine above queries into a single query and get an output in a table as shown below.

3. Expected sample results:

Dec 10 13:35:12 : abc-05-hiddencam successfully logged on

Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state

Dec 10 06:19:24 : abc-05-hiddencam successfully logged on

Dec 10 15:28:18 : abc-05-hiddencam service entered the running state

Dec 10 06:17:01 : abc-05-hiddencam logged off

Dec 10 15:28:19 : abc-05-hiddencam service entered the running state

Dec 10 06:11:55 : abc-05-hiddencam logged off

Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state

( The results are going to be different to above based on the timestamp and the events. What I mean here is the results come mixing together in a single table as and when they take place.)

Thank you heaps in advance.

gcusello · ‎12-10-2021

Hi @GRC,

please try something like this:

index=windows_log host=abc-05-hiddencam logged*
| rex "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"
| rex "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"
| eval "Hidden Cam Monitoring" = Date." : ".hostname." ".status
| table "Hidden Cam Monitoring"

I could be more sure if you could share some sample of both your logs.

Ciao.

Giuseppe

GRC · ‎12-11-2021

Hi @gcusello ,

Thank you for trying to help. However, it did not work. I can provide you some sample log data for both so it is easy to understand what I am trying to achieve. Please feel free to rename the fields (date, hostname, status) in my regex when combining the queries so it does not confuse Splunk.

Query 1:

index=windows_log host=abc-05-hiddencam logged*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

Sample Data:

Dec 11 13:35:05 abc-05-hiddencam EventLog#0111#011Security#011618268#011Sat Dec 11 13:35:03 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on. SubjectPackage Name (NTLM only): - Key Length: 0 This event is generated when a logon session is

Dec 11 13:30:34 abc-05-hiddencam EventLog#0111#011Security#011618223#011Sat Dec 11 13:30:31 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on. Subject:

Dec 10 06:11:55 abc-05-hiddencam EventLog#0111#011Security#011616614#011Fri Dec 10 06:11:52 2021#0114634#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\operations#011N/A#011Success Audit#011abc-05-hiddencam#011Logoff#011#011An account was logged off. Subject

Query 2:

index=windows_log host=abc-05-hiddencam entered*

| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)"

| eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status
| table "Hidden Cam Monitoring"

Sample Data:

Dec 11 19:10:38 abc-05-hiddencam EventLog#0111#011System#0119#011Sat Dec 11 19:10:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.#01175830

Dec 11 18:55:46 abc-05-hiddencam EventLog#0111#011System#011618596#011Sat Dec 11 18:55:46 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The Google Update Service (gupdate) service entered the stopped state.#01175829

Dec 11 18:52:38 abc-05-hiddencam EventLog#0111#011System#011618594#011Sat Dec 11 18:52:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.#01175828

Thank you so much for your help.

How to Combine two Rex fields and get results in a Table

regex

rex

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to Combine two Rex fields and get results in a Table

regex

rex

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem