Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Event # 4729

hartfoml
Motivator
‎10-03-2011 11:27 AM

How to I extract fields that have the same name:

**Subject:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-30684
Account Name:       xxxxxxxx
Account Domain:     xxxxxx
Logon ID:       0x2ab3cdc2e

Member:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-17789
Account Name:       CN=xxxxxx,OU=yyyyyy,OU=zzzz,DC=xxx,DC=xxx,DC=com

Group:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-512
Group Name:     Domain Admins
Group Domain:       ESCG**

How do I extract out the:
Subject: Account name
Member: Account Name
Group: Group Name

0 Karma
Reply

BobM
Builder
‎12-02-2011 02:43 AM

You need a multi line EXTRACT looking for the group name followed by any number of indented lines and the words "Account Name:" A props.conf with the below should work. I added in New Logon in case you also need EventCode=4624

[WinEventLog:Security]
EXTRACT-test=(?m)^Subject:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<SubjectAccountName>[^\r\n]+)
EXTRACT-test=(?m)^Member:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<MemberAccountName>[^\r\n]+)
EXTRACT-test=(?m)^New Logon:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<NewAccountName>[^\r\n]+)
EXTRACT-gn=(?m)^\s+Group Name:\s+(?<GroupName>[\r\n]+)

In Explanation
(?m) tells splunk to use multi line matching and
(?:\t[^\r\n]+[\r\n]+)+ matches any number of tab indented lines.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-01-2011 11:45 PM

This looks like a single event from Win2008 WinEvtLog:Security, albeit a bit chopped up.

/k

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎11-28-2011 02:11 PM

Which log is this data coming from?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...