Splunk Search
Highlighted

How to extract Time and User from events using regex?

Path Finder

The following events are filtered by Snare and sent to Splunk from Windows Servers:

Server.egcorp.com MSWinEventLog 1 Security 255931 Tue Jul 01 02:56:52 2014 528 Security JOHN User Success Audit Server Logon/Logoff Successful Logon: User Name: JOHN Domain: egcorp Logon ID: (0x0,0xC8BCFD2) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Server Logon GUID: {122ff468-2a7e-bd13-abfc-3dbf4c3ac3d4} Caller User Name: Server$ Caller Domain: egcorp Caller Logon ID: (0x0,0x3E7) Caller Process ID: 532 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 255930

Objective: To extract the Time and the User from these events using regex to filter these two fields.
Result:
Jul 01 02:56:52 2014 JOHN

Thanks

W

Tags (3)
0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

SplunkTrust
SplunkTrust

Is that a single event you cited or multiple events?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

Path Finder

Multiple events

0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

SplunkTrust
SplunkTrust

Does the time stamp Splunk has found match your time string in the data? If so, can you use that for your time?

0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

SplunkTrust
SplunkTrust

If that's multiple events then you'll have trouble using just regex to get your fields. I see a date only in the first event and a user name only in the second (twice). To parse these, you'll first need to combine them using a common field.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

Path Finder

The time stamps of Splunk and the event might not be the same.

0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

Path Finder

RICHGALLOWAY - Sorry I misunderstood your question. The event that I listed above is in-fact just one event. But splunk receives multiple such events.

0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

SplunkTrust
SplunkTrust

This regex string should do the trick.

(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s

Full Query

(server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?<DateTime>\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?<User>\S+)\s" | table DateTime User
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

Path Finder

I tried:
* (server02 OR server01) AND 528 | rex "(?:[\S]+ ){6}(?\S+\s\S+\s\d+:\d+:\d+\s\d{4})[\s\S]*?Name:\s(?\S+)\s"

and I just go the raw events:

0 Karma
Highlighted

Re: How to extract Time and User from events using regex?

SplunkTrust
SplunkTrust

Add this after the search. "| table DateTime, User"

0 Karma