Splunk Search

How to extract field from Windows event log

davidjohnbecket
Path Finder

The event I have is from a windows event log and AppLocker

See below:

LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run.

I would like to extract the new field labeled "Application" and have the search return the TASKHOSTW.EXE

How can I do this? (Regex is not my strong suit)

p.s. Happy to do the extraction at the time of the search.

0 Karma
1 Solution

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run." 
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"

On your prod data the code would be

| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"

View solution in original post

vik_splunk
Communicator

Hi @davidjohnbeckettorb

If it's a regex you would like to use, below should work for you.

|rex field=Message "(?i)^.+\\(?P<'Application'>[^\s]+)"

provided you are trying to capture the value between the first This-->\ and the next space that appears.

Please remove the '' in Application while attempting it. Not sure how I include text in angular

There are other ways to achieve this using an eval and it can be explored if you need to.

davidjohnbecket
Path Finder

Thank you @vik_splunk - worked a treat!

0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run." 
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"

On your prod data the code would be

| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"

davidjohnbecket
Path Finder

Thank you @ mayurr98. Add this to my search and pulled out the application nicely. Much appreciated

0 Karma
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out &gt;&gt; Kudos to all the ...