Hi all,
I'm currently trying to run a search within the CLI (which works perfectly on Splunk Web).
The search is the following:
sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, "; ") | eval Account_Name=mvjoin(Account_Name, "; ") | eval Security_ID=mvjoin(Security_ID, "; ") | eval Logon_ID=mvjoin(Logon_ID, "; ") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
Note: I am using the eval function to join multiple values that appear in one field in order to remove "line feeds" (because my goal is to export to csv).
In Windows PowerShell I run the following command:
splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, `"; `") | eval Account_Name=mvjoin(Account_Name, `"; `") | eval Security_ID=mvjoin(Security_ID, `"; `") | eval Logon_ID=mvjoin(Logon_ID, `"; `") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
Please note that the command would work perfectly if the eval functions are left out, but I need them to achieve my goal having no more "line feeds". So it's more or less a problem of right escaping!?
I tried to use the escaping explained on this site but no luck yet. any ideas?
cheers
-ciir
PS: I know that there is such a thing as a Splunk PowerShell Resource Kit (but do I really have to use it?)
I found the answer by myself.
There are actually two approaches/methods you can solve this issue:
splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
See this page (reference)
so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:
<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")
You add a calculated field for each of the desired fields that have the linefeed in it.
I found the answer by myself.
There are actually two approaches/methods you can solve this issue:
splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc
See this page (reference)
so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:
<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")
You add a calculated field for each of the desired fields that have the linefeed in it.