Splunk Search

How to search a Multiline event using rex at searchtime?

I-Man
Communicator

Hey Splunkers,

I cannot get the following rex statement to match in Splunk. I read that using (?m) in the transforms.conf file will match multiline events however I am having trouble getting this to work at searchtime. Actually, I dont even know if this will work at search time.

index=security EventCode=1234 OR EventCode=123 
| rex field=_raw 
    "(?m)Target\sAccount.*\r\n\tSecurity.*\r\n\tAccount\sName\:\t\t (?<Foobar>.*)"

Please let me know if this would work...

Regardless, we have events that have a field of "Account Name". After which, there is another "Account Name" that isn't being made into a field. The data after the second Account Name is what we are trying to grab. Example:

Subject:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       admin
    Account Domain:     dom
    Logon ID:       xxxxxxxxxx

Target Account:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       bigadmin
    Account Domain:     dom

Any better ideas on how to do this? Thanks in advance!

I-Man

Tags (2)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

View solution in original post

I-Man
Communicator

Exactly what I was looking for. Thanks ron!!!

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

If you have the Windows app installed, Splunk should automagically extract both account names from the log entries. Select Account_Name in the "Pick Fields" and search for something like this:

Account_Name=* EventCode="4624"

You'll notice that under each event that has multiple account names, you'll see both entries:

Account_Name=- | Account_Name=SYSTEM

You don't need the (?m). The RegEx was not correct prior to being edited, but you shouldn't need to use one.

Cheers

I-Man
Communicator

Thanks much for the response ron. Is there anyway to only grab the second account name and ignore the first instance?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!