Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Rex Command to Extract Username from EventData_Xml Data

SplunkLunk
Path Finder
‎11-07-2017 06:14 AM

Good morning. I'm trying to use rex to extract a username from a MS Windows Application Event Log. The event shows a field called "EventData_Xml" and in there is the following (NOTE: I replaced greater than signs with brackets as it was treating it as HTML and not displaying properly):

[Data]kjewgjkewkj[/Data][Data] Reason: Could not find a login matching the name provided.[/Data][Data] [CLIENT: <local machine>][/Data][Binary]blah, blah, blah[/binary]"

The username is showing in between the first tags (in this case kjewgjkewkj). I put in a fake username and tried connecting to create a failed login event for MSSQL. So I was trying to use rex to grab the text between the first two data tags but I can't get it to work. Using the field extractor in Splunk seems overly complicated when looking at the search code it produces as it is using the _raw field. Is there a simpler way to do it using something like the following:

host=blah* source="WinEventLog:Application"|xmlkv|search EventID=18456|rex field=EventData_Xml "(?)"

Thanks for any help.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-07-2017 06:36 AM

@SplunkLunk, you should post code with code button (one with 101010) so that it does not escape.

If you are ingesting Windows Event logs in XML format, you can enable KV_MODE=xml from props.conf. Refer to documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration). This will generate search time field extraction from XML data.

You can also use spath command, to parse XML data. Since your _raw data is XML you can use | spath which should give you fields exctracted automatically. If you know complete structure of XML DOM, you can use path in spath command to extract only the field you need. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

Following is a run anywhere search using spath with the sample data provided, however, the structure <CLIENT: <local machine>>, does not seem correct for XML:

|  makeresults
|  eval _raw="<Data>kjewgjkewkj</Data><Data> Reason: Could not find a login matching the name provided.</Data><Data><CLIENT: <local machine>></Data><Binary>blah, blah, blah</binary>"
|  spath
|  eval UserName=mvindex(Data,0)

If you want to stick to rex command you can use the following:

|  makeresults
|  eval _raw="<Data>kjewgjkewkj</Data><Data> Reason: Could not find a login matching the name provided.</Data><Data><CLIENT: <local machine>></Data><Binary>blah, blah, blah</binary>"
|  rex "\<Data\>(?<UserName>[^\<]+)\<\/Data\>"

PS: By default max_match parameter of rex command is set to 1 which means it will only extract first occurrence of <Data>.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

Since the exact answer depends on the structure of your data, please re-post sample data using code button (101010).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-07-2017 06:36 AM

@SplunkLunk, you should post code with code button (one with 101010) so that it does not escape.

If you are ingesting Windows Event logs in XML format, you can enable KV_MODE=xml from props.conf. Refer to documentation (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration). This will generate search time field extraction from XML data.

You can also use spath command, to parse XML data. Since your _raw data is XML you can use | spath which should give you fields exctracted automatically. If you know complete structure of XML DOM, you can use path in spath command to extract only the field you need. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

Following is a run anywhere search using spath with the sample data provided, however, the structure <CLIENT: <local machine>>, does not seem correct for XML:

|  makeresults
|  eval _raw="<Data>kjewgjkewkj</Data><Data> Reason: Could not find a login matching the name provided.</Data><Data><CLIENT: <local machine>></Data><Binary>blah, blah, blah</binary>"
|  spath
|  eval UserName=mvindex(Data,0)

If you want to stick to rex command you can use the following:

|  makeresults
|  eval _raw="<Data>kjewgjkewkj</Data><Data> Reason: Could not find a login matching the name provided.</Data><Data><CLIENT: <local machine>></Data><Binary>blah, blah, blah</binary>"
|  rex "\<Data\>(?<UserName>[^\<]+)\<\/Data\>"

PS: By default max_match parameter of rex command is set to 1 which means it will only extract first occurrence of <Data>.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

Since the exact answer depends on the structure of your data, please re-post sample data using code button (101010).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎11-07-2017 06:50 AM

Thanks. I used the main part of your rex statement to make it work. My search now looks like:

host=blah* source="WinEventLog:Application"|xmlkv|search EventID=18456 OR EventID=18453 |rex field=EventData_Xml "[Data](?[User][^<]+)[\/Data]"

This seems to get me the results I want (greater than signs switched for brackets).

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-07-2017 07:04 AM

@SplunkLunk, I have converted my comment to Answer. Please accept.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 06:21 AM

Hi SplunkLunk,
Di you tried this rex

host=blah* source="WinEventLog:Application"
|xmlkv
|search EventID=18456
|rex field=EventData_Xml "\[Data\](?<UserName>[^\[]*)\[\/Data\]"

You can test it at https://regex101.com/r/EdaRpI/1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎11-07-2017 06:52 AM

Thanks. The above poster had a subtle difference in the rex expression which stopped it at the first occurrence of the html tag. That got me the results I wanted.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 06:56 AM

If you're satisfied, please, accept or upvote it.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎11-07-2017 06:32 AM

Thanks. That's closer but it's adding the text from the next html data tag. So now the username looks like:

"kjewgjkewkj[/Data][Data] Reason: Could not find a login matching the name provided."

Again, I've traded the greater than signs for brackets.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 06:54 AM

add match=1 to the rex command

 host=blah* source="WinEventLog:Application"
 |xmlkv
 |search EventID=18456
 |rex field=EventData_Xml "\[Data\](?<UserName>[^\[]*)\[\/Data\]" match=1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

SplunkLunk
Path Finder
‎11-07-2017 07:02 AM

adding max_match=1 still didn't seem to work. The results for UserName still show:

kjewgjkewkj[/Data][Data] Reason: Could not find a login matching the name provided.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...