Splunk Search
Highlighted

How to separate multiple values from a single Windows event log entry?

Path Finder

An example of a SINGLE Windows application log event I'm looking at in my environment is:

09/09/2015 09:46:05 AM
LogName=Application
SourceName=Outlook
EventCode=45
EventType=4
Type=Information
ComputerName=PCNAME.stroock.com
TaskCategory=None
OpCode=None
RecordNumber=192048
Keywords=Classic
Message=Outlook loaded the following add-in(s):


Name: Workshare Ribbon Add-In for Microsoft Office
Description: Workshare Ribbon Addin
ProgID: Workshare.Ribbon.Addin.Connect
GUID: {1023B9C0-05A1-4DD5-9BF9-54BA6A4C07E2}
Load Behavior: 03
HKLM: 1
Location: C:\Program Files\Workshare\Modules\Workshare.Ribbon.Addin.Shim.dll
Boot Time (Milliseconds): 1076

Name: Workshare Outlook COM Addin
Description: Workshare Outlook COM Addin
ProgID: Workshare.OutlookAddin.1
GUID: {AE6053BC-57B4-44B6-BB87-DB52074FE54A}
Load Behavior: 03
HKLM: 1
Location: c:\program files\workshare\modules\Workshare.Client.OutlookExtension.dll
Boot Time (Milliseconds): 2683

Name: Workshare Professional Attachment(s) Alert and Compare
Description: 
ProgID: Workshare.Client.OutlookFormUI.AddinMod
GUID: {AB912E26-FAB0-41DF-9424-68A41A214D94}
Load Behavior: 03
HKLM: 1
Location: C:\Program Files\Workshare\Modules\\adxloader.dll
Boot Time (Milliseconds): 6287

This is written each time users launch Outlook and shows us how long the various add-ins we use take to launch (and slow down the opening of Outlook). I'd like to be able run some statistics on these numbers, so I need to be able to parse out the multiple Names and Boot Time values from each of these... I'd like to get the data to show the following columns:

_time
SourceName
Computername
Name
Description
Boot Time

for all add-ins loaded with each launch of outlook.

Any help much appreciated.

0 Karma
Highlighted

Re: How to separate multiple values from a single Windows event log entry?

SplunkTrust
SplunkTrust

Give this a try

Your base search | table _raw | rex mode=sed "s/([\r\n]+)/ |/g" | extract | table SourceName ComputerName _raw | rex max_match=0 "Name\s*:\s*(?<Temp>([^\|]*\|){7}[^:]+:\s+\d+)" | table SourceName ComputerName Temp | mvexpand Temp | rex field=Temp "(?<Name>[^\|]+)\|\s*Description:(?<Description>[^\|]+)\|([^\|]*\|){5}\s*Boot Time \(Milliseconds\): (?<Boot_Time>\d+)" | fields - Temp
0 Karma
Highlighted

Re: How to separate multiple values from a single Windows event log entry?

Path Finder

oustanding! thank you so much.

0 Karma
Highlighted

Re: How to separate multiple values from a single Windows event log entry?

Path Finder

Actually I spoke too soon, this excludes the time field? this is more advanced than I'm used to so not sure how to include it in your search...

0 Karma
Highlighted

Re: How to separate multiple values from a single Windows event log entry?

Influencer

With the default windows event log sourcetype, it should auto-extract those values into MV fields. Using mvzip, create a single MV field with all the values concatenated within. Then mvexpand on that new field to create 1 event for each combination. Finally, break apart the zipped field and report on the values with stats or similar. Something like this (untested):

... | eval TempMV=mvzip(Name,Description,"|") | eval TempMV=mvzip(TempMV,Boot_Time__Milliseconds_,"|") |
mvexpand TempMV |
rex field=TempMV "(?<AIname>[^\|]+)\|(?<AIdesc>[^\|]+)\|(?<AItime>\d+)" |
table _time SourceName ComputerName AIname AIdesc AItime

EDIT: failed to backslash one of the pipes

View solution in original post

Highlighted

Re: How to separate multiple values from a single Windows event log entry?

Path Finder

nice! that works great and maybe? seems to be a little simpler than previous answer. thank you very much.

0 Karma