Splunk Search

How to extract Time and User from events using regex?

uayub
Path Finder

The following events are filtered by Snare and sent to Splunk from Windows Servers:

Server.egcorp.com MSWinEventLog 1 Security 255931 Tue Jul 01 02:56:52 2014 528 Security JOHN User Success Audit Server Logon/Logoff Successful Logon: User Name: JOHN Domain: egcorp Logon ID: (0x0,0xC8BCFD2) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Server Logon GUID: {122ff468-2a7e-bd13-abfc-3dbf4c3ac3d4} Caller User Name: Server$ Caller Domain: egcorp Caller Logon ID: (0x0,0x3E7) Caller Process ID: 532 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 255930

Objective: To extract the Time and the User from these events using regex to filter these two fields.
Result:
Jul 01 02:56:52 2014 JOHN

Thanks

W

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string should do the trick.

(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s

Full Query

(server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s" | table DateTime User
---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder

After adding the "*", it shows all fields including DateTime and User - but these fields are blank. The rest of the fields have valid data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've never known these boards to change text like that. Perhaps putting backticks around the pasted text will help.
Does adding a '*' to the table command show any fields have been parsed?

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder
  • (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s" | table DateTime User

In the Search all look correct. Only when I paste it in the Splunk Community page it comes different. Still no results are shown. I think the regex is not matching any user in the events.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Look closer. 'datetime' <> 'DateTime'; 'user' <> 'User'

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder
  • (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s" | Table DateTime, User

It looks correct to me.. perfect matching case too

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Remember that Splunk is case sensitive. The field names in the stats and table commands must match those in your rex string exactly.

---
If this reply helps you, Karma would be appreciated.
0 Karma

uayub
Path Finder

After applying this , the EVENTS shows the entire raw events but the STATISTICS shows no results.. am I missing something ...

0 Karma

somesoni2
Revered Legend

Add this after the search. "| table DateTime, User"

0 Karma

uayub
Path Finder

I tried:
* (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s"

and I just go the raw events:

0 Karma

uayub
Path Finder

RICHGALLOWAY - Sorry I misunderstood your question. The event that I listed above is in-fact just one event. But splunk receives multiple such events.

0 Karma

uayub
Path Finder

The time stamps of Splunk and the event might not be the same.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If that's multiple events then you'll have trouble using just regex to get your fields. I see a date only in the first event and a user name only in the second (twice). To parse these, you'll first need to combine them using a common field.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Richfez
SplunkTrust
SplunkTrust

Does the time stamp Splunk has found match your time string in the data? If so, can you use that for your time?

0 Karma

uayub
Path Finder

Multiple events

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is that a single event you cited or multiple events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...