Splunk Search

How to create a regex to extract data from windows event?

gndivya
Explorer

I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed.
To extract the statement field in the event, I am using the below regular expression

| rex field=_raw "statement:(?[\d\D]*[\n\s])additional"

which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this

quote

EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)

unquote

The extra spaces is not getting removed. Could you please help on this to write regex?

Sample event.

database_name:test
schema_name:dbo
object_name:Table_2
statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)

additional_information:
user_defined_information:
application_name:EUPTTOPDBS004\SQLNAV-test-test2-4

Tags (2)
0 Karma

codebuilder
Influencer

There is a fairly unknown gem which is your best friend in these scenarios, "erex".

Easiest to quote examples directly from the documentation, but it works like a champ.
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"

Use "examples" to include samples of what you are searching for, and "counterexamples" to exclude.
Append one or both to your existing search, then view the Job Inspector. It'll give you the correct regex syntax to find what you are looking for. It is extremely useful!

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "statement\:(?<statement>.*)[\r\n\s]+additional"
0 Karma

to4kawa
Ultra Champion
| rex "(?m)statement:(?<statement>.*$)"

try (?m) option. OR

| rex "statement:(?<statement>.*+)"
0 Karma

to4kawa
Ultra Champion

(?m)

https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php

Settings:

Fields » Field extractions » Add new

  • Destination app search(default)
  • Name statement_extraction
  • Apply to sourcetype
  • named your sourcetype
  • Type Inline
  • Extraction/Transform statement:(?<statement>.*+)
0 Karma

gndivya
Explorer

When I use this, I am getting all the data after "statement" like additional_information, user_defined_information, all other things. Please let me know what else can be done to get only the required information

0 Karma

to4kawa
Ultra Champion

your log is something wrong.
check props.conf and LINE_BREAKER

0 Karma

gndivya
Explorer

@to4kawa this worked when in a normal search query, I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?
I want to know, what does that (?m) means at the beginning of the regex string. If possible, kindly let me know what document you refer to while creating regular expression.

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
 | eval log="database_name:test
schema_name:dbo
object_name:Table_2
statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)

additional_information:
user_defined_information:
application_name:EUPTTOPDBS004\SQLNAV-test-test2-4" |rex field=log "statement:(?P<statement>[^\n]+)"
0 Karma

gndivya
Explorer

@vnravikumar , This is working when used in a normal query, but I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...