Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing Event details when trying to Extract Fields from an Active Directory event

mpatnode
Path Finder
‎08-16-2010 08:17 PM

I have the following raw AD event which I can see from my search:

08/16/2010 12:55:56.0110
dcName=w2k3r2.demo.dev
admonEventType=Update
Names:
    objectCategory=CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=demo,DC=dev
    name=bsmith
    displayName=$CimsUserVersion2
    distinguishedName=CN=bsmith,CN=Users,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=demo,DC=dev
    cn=bsmith
Object Details:
    objectGUID=cffb0829-0642-134c-2ef1-f03cc696e10b
    whenChanged=20100816195556.0Z
    whenCreated=20070906020209.0Z
    objectClass=top|leaf|connectionPoint|serviceConnectionPoint
Event Details:
    uSNChanged=127046
    uSNCreated=14129
    instanceType=4
Additional Details:
    keywords=foo:1111|bar:3333|too:3333
    showInAdvancedViewOnly=TRUE

Whenever I try to use the "Extact Fields" UI, the event is truncated after "Event Details" in the "Sample events" frame. What's preventing me from seeing the entire event?

Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎08-16-2010 10:55 PM

In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement.

From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)

View solution in original post

Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎08-16-2010 10:55 PM

In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement.

From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)

Reply
Solved! Jump to solution

carasso
Splunk Employee
Splunk Employee
‎08-26-2010 07:48 PM

unfortunately, no.

0 Karma
Reply
Solved! Jump to solution

mpatnode
Path Finder
‎08-17-2010 01:34 AM

Well that explains that. I did figure out how to use 'rex' as a work around. The next question is can I do dynamic field name generation the same way Splunk does? Something like this:

sourcetype="ActiveDirectory" keywords=* | rex field=_raw "keywords=(?<_KEY_1>[a-z]):(?<_VALUE_1>[0-9])

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...