The following events are filtered by Snare and sent to Splunk from Windows Servers:
Server.egcorp.com MSWinEventLog 1 Security 255931 Tue Jul 01 02:56:52 2014 528 Security JOHN User Success Audit Server Logon/Logoff Successful Logon: User Name: JOHN Domain: egcorp Logon ID: (0x0,0xC8BCFD2) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Server Logon GUID: {122ff468-2a7e-bd13-abfc-3dbf4c3ac3d4} Caller User Name: Server$ Caller Domain: egcorp Caller Logon ID: (0x0,0x3E7) Caller Process ID: 532 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 255930
Objective: To extract the Time and the User from these events using regex to filter these two fields.
Result:
Jul 01 02:56:52 2014 JOHN
Thanks
W
This regex string should do the trick.
(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s
Full Query
(server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s" | table DateTime User
After adding the "*", it shows all fields including DateTime and User - but these fields are blank. The rest of the fields have valid data.
I've never known these boards to change text like that. Perhaps putting backticks around the pasted text will help.
Does adding a '*' to the table command show any fields have been parsed?
In the Search all look correct. Only when I paste it in the Splunk Community page it comes different. Still no results are shown. I think the regex is not matching any user in the events.
Look closer. 'datetime
' <> 'DateTime
'; 'user
' <> 'User
'
It looks correct to me.. perfect matching case too
Remember that Splunk is case sensitive. The field names in the stats and table commands must match those in your rex string exactly.
After applying this , the EVENTS shows the entire raw events but the STATISTICS shows no results.. am I missing something ...
Add this after the search. "| table DateTime, User"
I tried:
* (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?
and I just go the raw events:
RICHGALLOWAY - Sorry I misunderstood your question. The event that I listed above is in-fact just one event. But splunk receives multiple such events.
The time stamps of Splunk and the event might not be the same.
If that's multiple events then you'll have trouble using just regex to get your fields. I see a date only in the first event and a user name only in the second (twice). To parse these, you'll first need to combine them using a common field.
Does the time stamp Splunk has found match your time string in the data? If so, can you use that for your time?
Multiple events
Is that a single event you cited or multiple events?