Splunk Search

Using rex command to extract Message field in Windows Event Logs

Alfred
Explorer

I want to extract from the Message field in the Windows Event Log just the first few words until the period - example would be:

Message=A user account was unlocked. Subject: Security ID: xxxxxxxxxxxxxxxx Account Name: xxxxxxxxxx Account Domain: xxxxxxxxx Logon ID: xxxxxxxxxx Target Account: Security ID: xxxxxxxxxxxxxx-xxxxxxxx Account Name: xxxxxxxxxx Account Domain: xxxxxxxxxx

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Motivator

Hi @Alfred 

yes, you can use a table comand after the rex comand

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)" | table message

rex comand can extract fields in search time

If you want define the extraction at index time you can put the regex expression on the props.conf file

Example

[your sourcetype]
EXTRACT-message =  (Message=(?<message>[a-zA-z ].*)Subject)

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Exampleconfigurationswithprops.conf

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

0 Karma

Alfred
Explorer

That solved it - Thanks for all your help 

 

0 Karma

aasabatini
Motivator

Hi @Alfred 

the best way to extract these fields is:

the key value automatic extraction

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Automatickey-valuefieldextractionsatsea...

anyway if you need a rex for other reason this is a good way to extract the message field

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)"
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

Alfred
Explorer

Thanks aasabatini ...  my goal is as follows : 

in the Message ( extracted) field I need to table only the first sentence instead of the whole message   - your rex command seem to be correct but applying it did not change the Message output in the query , I still see the whole message 

0 Karma

Alfred
Explorer

I found an extraction created after running the rex command you sent -  called "name " - I wonder if I can give a name to the rex extraction ... so I can call it in a table 

 

0 Karma

aasabatini
Motivator

Hi @Alfred 

yes, you can use a table comand after the rex comand

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)" | table message

rex comand can extract fields in search time

If you want define the extraction at index time you can put the regex expression on the props.conf file

Example

[your sourcetype]
EXTRACT-message =  (Message=(?<message>[a-zA-z ].*)Subject)

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Exampleconfigurationswithprops.conf

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...