Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract usernames from Windows event log 4648 in Splunk?

Pundittech
Loves-to-Learn Lots
‎02-08-2023 10:03 PM

hi

Have a large index that contains event logs. Trying to extract usernames of EventID 4648.

How can I get this displayed along with the computer name it logged into?

Thanks in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Pundittech
Loves-to-Learn Lots
‎02-09-2023 02:29 AM

@gcuselloI sent you a PM. Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 03:01 AM

Hi @Pundittech,

it's an xml format, if you use the INDEXED_EXTRACTIONS=xml in props.conf (on Forwarder, Indexer and Searc Head) you should have all the field extracted.

In addition, you could use the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) to extract all fields.

At the end, you can also use a regex like the following:

| rex "\<Data Name\=\'SubjectUserName\'\>(?<UserName>[^\<]+)"

that you can test at https://regex101.com/r/ubUniP/1

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 11:48 PM

Hi @Pundittech ,

I tried spath using your sample logs and it extracts all fields.

Anyway, you can also use this regex:

 

| rex "(?ms)\<Computer\>(?<Computer>[^\<]+).*\<Data Name\=\'SubjectUserName\'\>(?<SubjectUserName>[^\<]+).*\<Data Name\=\'TargetUserName\'\>(?<TargetUserName>[^\<]+).*\<Data Name\=\'TargetServerName\'\>(?<TargetServerName>[^\<]+).*\<Data Name\=\'ProcessId\'\>(?<ProcessId>[^\<]+).*\<Data Name\=\'ProcessName\'\>(?<ProcessName>[^\<]+).*\<Data Name\=\'IpAddress\'\>(?<IpAddress>[^\<]+).*"

 

that you can test at https://regex101.com/r/ljtkar/1

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-08-2023 11:51 PM

Hi @Pundittech,

could you share some sample of your data, highlighting the values to extract?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...