Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Event # 4729

hartfoml
Motivator
‎10-03-2011 11:27 AM

How to I extract fields that have the same name:

**Subject:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-30684
Account Name:       xxxxxxxx
Account Domain:     xxxxxx
Logon ID:       0x2ab3cdc2e

Member:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-17789
Account Name:       CN=xxxxxx,OU=yyyyyy,OU=zzzz,DC=xxx,DC=xxx,DC=com

Group:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-512
Group Name:     Domain Admins
Group Domain:       ESCG**

How do I extract out the:
Subject: Account name
Member: Account Name
Group: Group Name

0 Karma
Reply

BobM
Builder
‎12-02-2011 02:43 AM

You need a multi line EXTRACT looking for the group name followed by any number of indented lines and the words "Account Name:" A props.conf with the below should work. I added in New Logon in case you also need EventCode=4624

[WinEventLog:Security]
EXTRACT-test=(?m)^Subject:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<SubjectAccountName>[^\r\n]+)
EXTRACT-test=(?m)^Member:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<MemberAccountName>[^\r\n]+)
EXTRACT-test=(?m)^New Logon:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<NewAccountName>[^\r\n]+)
EXTRACT-gn=(?m)^\s+Group Name:\s+(?<GroupName>[\r\n]+)

In Explanation
(?m) tells splunk to use multi line matching and
(?:\t[^\r\n]+[\r\n]+)+ matches any number of tab indented lines.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-01-2011 11:45 PM

This looks like a single event from Win2008 WinEvtLog:Security, albeit a bit chopped up.

/k

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎11-28-2011 02:11 PM

Which log is this data coming from?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...