Splunk Search

Split up multiline values

secphilomath1
Explorer

I am trying to run the following search:

index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com"
| rex max_match=0 field=_raw "(?<lineData>[^\n]+)"
| rex field=Msg "'(?<FilePath>.*)' accessed by"
| rex field=_raw "accessed\sby\s'(?<Audit_UserName>.*)'.\sType"

| table _time, FilePath, Audit_UserName

However, the way I am splitting the multiline data doesn't appear to be working with this data.

Here is a sample of the data as viewed in Notepad++ with symbols;

secphilomath1_0-1709673410204.png

Every line ends in CR LF 

However, in Splunk it isn't splitting up the events.  What am I missing here?  I have had this work with similar data but unsure what is different in this situation.

TIA!

Labels (1)
Tags (2)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

I can't quiet tell what is the input data and how Splunk is splitting.

Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event starts with the date at the beginning of the line etc.

 

View solution in original post

0 Karma

secphilomath1
Explorer

Not yet no

0 Karma

burwell
SplunkTrust
SplunkTrust

I can't quiet tell what is the input data and how Splunk is splitting.

Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event starts with the date at the beginning of the line etc.

 

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi so how is are the events being split by Splunk? And do you have any props to tell splunk how to split the events?

0 Karma
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...