Re: how to extract usernames from windows event lo...

Pundittech · ‎02-08-2023

hi

Have a large index that contains event logs. Trying to extract usernames of EventID 4648.

How can I get this displayed along with the computer name it logged into?

Thanks in advance.

Pundittech · ‎02-09-2023

@gcuselloI sent you a PM. Thanks

gcusello · ‎02-09-2023

Hi @Pundittech,

it's an xml format, if you use the INDEXED_EXTRACTIONS=xml in props.conf (on Forwarder, Indexer and Searc Head) you should have all the field extracted.

In addition, you could use the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) to extract all fields.

At the end, you can also use a regex like the following:

| rex "\<Data Name\=\'SubjectUserName\'\>(?<UserName>[^\<]+)"

that you can test at https://regex101.com/r/ubUniP/1

Ciao.

Giuseppe

gcusello · ‎02-09-2023

Hi @Pundittech ,

I tried spath using your sample logs and it extracts all fields.

Anyway, you can also use this regex:

| rex "(?ms)\<Computer\>(?<Computer>[^\<]+).*\<Data Name\=\'SubjectUserName\'\>(?<SubjectUserName>[^\<]+).*\<Data Name\=\'TargetUserName\'\>(?<TargetUserName>[^\<]+).*\<Data Name\=\'TargetServerName\'\>(?<TargetServerName>[^\<]+).*\<Data Name\=\'ProcessId\'\>(?<ProcessId>[^\<]+).*\<Data Name\=\'ProcessName\'\>(?<ProcessName>[^\<]+).*\<Data Name\=\'IpAddress\'\>(?<IpAddress>[^\<]+).*"

that you can test at https://regex101.com/r/ljtkar/1

Ciao.

Giuseppe

gcusello · ‎02-08-2023

Hi @Pundittech,

could you share some sample of your data, highlighting the values to extract?

Ciao.

Giuseppe

How to extract usernames from Windows event log 4648 in Splunk?

field extraction

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?