Splunk Search

How to search a Multiline event using rex at searchtime?

Communicator

Hey Splunkers,

I cannot get the following rex statement to match in Splunk. I read that using (?m) in the transforms.conf file will match multiline events however I am having trouble getting this to work at searchtime. Actually, I dont even know if this will work at search time.

index=security EventCode=1234 OR EventCode=123 
| rex field=_raw 
    "(?m)Target\sAccount.*\r\n\tSecurity.*\r\n\tAccount\sName\:\t\t (?<Foobar>.*)"

Please let me know if this would work...

Regardless, we have events that have a field of "Account Name". After which, there is another "Account Name" that isn't being made into a field. The data after the second Account Name is what we are trying to grab. Example:

Subject:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       admin
    Account Domain:     dom
    Logon ID:       xxxxxxxxxx

Target Account:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       bigadmin
    Account Domain:     dom

Any better ideas on how to do this? Thanks in advance!

I-Man

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

View solution in original post

Splunk Employee
Splunk Employee

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

View solution in original post

Communicator

Exactly what I was looking for. Thanks ron!!!

0 Karma

Splunk Employee
Splunk Employee

If you have the Windows app installed, Splunk should automagically extract both account names from the log entries. Select Account_Name in the "Pick Fields" and search for something like this:

Account_Name=* EventCode="4624"

You'll notice that under each event that has multiple account names, you'll see both entries:

Account_Name=- | Account_Name=SYSTEM

You don't need the (?m). The RegEx was not correct prior to being edited, but you shouldn't need to use one.

Cheers

Communicator

Thanks much for the response ron. Is there anyway to only grab the second account name and ignore the first instance?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!