Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query giving multiple results in the same field, how to parse?

MacAllen
Engager
3 weeks ago

Doing a query on AD events for adding users to groups.  There are 3 events, one for each type of group.  2 of them are very straight forward, account_name is the account, group_name is the group, easy peasy.  However, event 4756 shoves everything into the account_name field, so I get something like this:

Account_Name

my_username
CN=user_I_Added
Enterprise Admins
 
All of this is in 1 line.  Looking inside the event, I get this:
Subject:
Security ID: mysid
Account Name: my_username
Account Domain: my domain
Logon ID: 0xmyid
 
Member:
Security ID: hersid
Account Name: CN=her_username
 
Group:
Security ID: groupside
Account Name: Enterprise Admins
Account Domain: my_domain
 
I'd like to select on group_name, but for some reason Enterprise Admins is shoved into one of 3 Account_names in the same event.  Suggestions on parsing this?  "Moving" the name to group_name?
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

Given the fixed data syntax and segment order, @livehybrid's approach should work.  I'd like to offer a different, more semantic approach that depend less than exact order and string.

| rex mode=sed "s/(.*\n)*Message=.*\n//"
| eval data = split(_raw, "

")
| mvexpand data
| rex field=data max_match=0 mode=sed "s/(.+): *(.+)\n/\"\1\":\"\2\",\n/g
  s/,\n([^\"]+): *(.+)/,\"\1\":\"\2\"}\n}/g
  s/(.+): */{\n\"\1\":{/"
| spath input=data
| stats values(*) as * by RecordNumber
| fields - data

The idea is to convert structured Message into JSON so it handles all embedded data. (The above is one of several possible ways of doing this.)

Using the same emulation @livehybrid provides, this is the output:

RecordNumberComputerNameEventCodeGroup.Account DomainGroup.Account NameGroup.Security IDMember.Account NameMember.Security IDSubject.Account DomainSubject.Account NameSubject.Logon IDSubject.Security ID
1098888999DC.ACME.COM4756my_domainEnterprise AdminsgroupsideCN=her_usernamehersidmy domainmy_username0xmyidmysid

If space in field names such as "Group.Account Name" is a hindrance, they can be replaced with a printable character before or after.

Hope this helps.

View solution in original post

Tags (2)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

Given the fixed data syntax and segment order, @livehybrid's approach should work.  I'd like to offer a different, more semantic approach that depend less than exact order and string.

| rex mode=sed "s/(.*\n)*Message=.*\n//"
| eval data = split(_raw, "

")
| mvexpand data
| rex field=data max_match=0 mode=sed "s/(.+): *(.+)\n/\"\1\":\"\2\",\n/g
  s/,\n([^\"]+): *(.+)/,\"\1\":\"\2\"}\n}/g
  s/(.+): */{\n\"\1\":{/"
| spath input=data
| stats values(*) as * by RecordNumber
| fields - data

The idea is to convert structured Message into JSON so it handles all embedded data. (The above is one of several possible ways of doing this.)

Using the same emulation @livehybrid provides, this is the output:

RecordNumberComputerNameEventCodeGroup.Account DomainGroup.Account NameGroup.Security IDMember.Account NameMember.Security IDSubject.Account DomainSubject.Account NameSubject.Logon IDSubject.Security ID
1098888999DC.ACME.COM4756my_domainEnterprise AdminsgroupsideCN=her_usernamehersidmy domainmy_username0xmyidmysid

If space in field names such as "Group.Account Name" is a hindrance, they can be replaced with a printable character before or after.

Hope this helps.

Tags (2)
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @MacAllen 

How about this?

| rex field=_raw max_match=10 "Account Name: (?<account_name>[^\n]+)"
| eval subject_name = mvindex(account_name,0)
| eval member_name   = mvindex(account_name,1)
| eval group_name    = mvindex(account_name,2)
| table subject_name member_name group_name

livehybrid_0-1755208760825.png

If your Account_names is already a multivalue field then you wont need to do the rex command, just pluck the relevant items from the mv field using mvindex. Full example below:

| windbag | head 1 | eval _raw="08/14/2025 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.
Subject:
Security ID: mysid
Account Name: my_username
Account Domain: my domain
Logon ID: 0xmyid
 
Member:
Security ID: hersid
Account Name: CN=her_username
 
Group:
Security ID: groupside
Account Name: Enterprise Admins
Account Domain: my_domain
Additional Information:
Privileges: -"
| rex field=_raw max_match=10 "Account Name: (?<account_name>[^\n]+)"
| eval subject_name = mvindex(account_name,0)
| eval member_name   = mvindex(account_name,1)
| eval group_name    = mvindex(account_name,2)
| table subject_name member_name group_name

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...