Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Windows Events Log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello list,
i have a requirement where i imported Windows Event log (CSV format) into splunk, and now i need to extract specific fields out of that log. i tried field extraction, newbie alert, and went no where... will appreciate if someone can help me in this..
requirement need to report on Logon id and Workstation type used by that Logon ID.
here's how the logs look like:
1:02:58.000 PM Information 12/30/2010 1:02:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: XXXXXXXX
Account Domain: CORP
Logon ID: 0x3e7
Logon Type: 8
New Logon:
Security ID: XXXX\XXXXX
Account Name: EEEEEEE
Account Domain: CORP
Logon ID: 0x1d34affb6
Logon GUID: {8BBCB019-8C3B-F16A-8DBB-702C6D5840DE}
Process Information:
Process ID: 0x2694
Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: XXXXXXX
Source Network Address: 11.11.11.11
Source Port: 11099
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!
But, the following regex should work for extracting the Logon ID:
Logon ID:\s*(?<logon_id>)\S+)
And correspondingly for Workstation Name:
Workstation Name:\s*(?<workstation_name>\S+)
Apply this using either the interactive field extractor, or by using the rex operator.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the Windows app installed? If not, I believe it should take care of all of these extractions for you. You can install it even if your splunk instance is on *nix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!
But, the following regex should work for extracting the Logon ID:
Logon ID:\s*(?<logon_id>)\S+)
And correspondingly for Workstation Name:
Workstation Name:\s*(?<workstation_name>\S+)
Apply this using either the interactive field extractor, or by using the rex operator.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are these separate lines treated as separate events as well now, or do you have some line breaking rules in place that make sure they're all part of the same event? If it's the former I'd suggest that you look into the transaction command, perhaps something like "| transaction startswith='Subject:'". In the latter case the field extractions should work fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my bad, this is not a CSV, Windows Event log is saved as text log, and i imported in the splunk monitor using upload a local file.
not sure how to attach a file with this question...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ahhh i dont know how this got formatted... all these vars are in separate lines.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
