Splunk Search

Need Help with REGEX for this raw data

zach-keener
Explorer

We need to extract the value behind "<Computer>" 
I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated!

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath.

I suspect the posted data is just a snippet and not the complete event.  But the snippet itself looks compliant.  If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer.  If you don't have that, try set KV_MODE=xml.  If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it.

Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)

 

| makeresults
| eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>"
``` data emulation above ```
| spath input=data
| fields - data _*
| transpose column_name=fieldname
| rename "row 1" as fieldvalue

 

This gives

fieldname
fieldvalue
Event.EventData.Data
157f6670-a34e-4258-8c5a-695a5d47a600
1
1
Event.EventData.Data{@Name}
InstanceId
MaxRunspaces
MinRunspaces
Event.System.ChannelMicrosoft-Windows-PowerShell/Operational
Event.System.Computerserver.domain
Event.System.Correlation{@ActivityID}{157f6670-a34e-4258-8c5a-695a5d47a600}
Event.System.EventID8194
Event.System.EventRecordID5161615
Event.System.Execution{@ProcessID}6056
Event.System.Execution{@ThreadID}5928
Event.System.Keywords0x0
Event.System.Level5
Event.System.Opcode16
Event.System.Provider{@Guid}{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
Event.System.Provider{@Name}Microsoft-Windows-PowerShell
Event.System.Security{@UserID}S-1-5-21-3521695231-3467208260-910013933-395133
Event.System.Task1
Event.System.TimeCreated{@SystemTime}2024-01-25T22:00:11.2420989Z
Event.System.Version1
Event{@xmlns}http://schemas.microsoft.com/win/2004/08/events/event

Hope this helps.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I assume by break into single lines you mean expand to multiple events?

| rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>"
| mvexpand computer
0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...