Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble Matching a regex for Transforms.conf

kholleran
Communicator
‎09-10-2012 09:28 AM

Hi,

I am auditing the Splunk Data directories for any kind of access. To do this, I put EVERYONE in the audit group. I then want to filter out any that come in from the system account:

Fo instance, an event like this is generated

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=COMPUTERNAME.DOMAIN.com
TaskCategory=File System
OpCode=Info
RecordNumber=960826400
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       COMPUTERNAME$
    Account Domain:     DMN
    Logon ID:       0x3e7

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\Splunk\Python-2.7\Lib\encodings
    Handle ID:      0x8c

Process Information:
    Process ID:     0xcf4
    Process Name:       C:\Program Files\Splunk\bin\python.exe

What I want match out to pass to the nullQueue in transforms.conf is across multiple lines:

TaskCategory=File System & Account Name: COMPUTERNAME$

I cannot get this to match no matter the regex I throw in there (I am guessing because it is going across multiple lines).

Thanks for any help.

Kevin

0 Karma
Reply

MarioM
Motivator
‎09-10-2012 10:03 AM

have you tried with (?msi) before your regex? if still not working what is your regex?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...