How to extract usernames from Windows event log 46...

Pundittech · ‎02-08-2023

hi

Have a large index that contains event logs. Trying to extract usernames of EventID 4648.

How can I get this displayed along with the computer name it logged into?

Thanks in advance.

Pundittech · ‎02-09-2023

@gcuselloI sent you a PM. Thanks

gcusello · ‎02-09-2023

Hi @Pundittech,

it's an xml format, if you use the INDEXED_EXTRACTIONS=xml in props.conf (on Forwarder, Indexer and Searc Head) you should have all the field extracted.

In addition, you could use the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) to extract all fields.

At the end, you can also use a regex like the following:

| rex "\<Data Name\=\'SubjectUserName\'\>(?<UserName>[^\<]+)"

that you can test at https://regex101.com/r/ubUniP/1

Ciao.

Giuseppe

gcusello · ‎02-09-2023

Hi @Pundittech ,

I tried spath using your sample logs and it extracts all fields.

Anyway, you can also use this regex:

| rex "(?ms)\<Computer\>(?<Computer>[^\<]+).*\<Data Name\=\'SubjectUserName\'\>(?<SubjectUserName>[^\<]+).*\<Data Name\=\'TargetUserName\'\>(?<TargetUserName>[^\<]+).*\<Data Name\=\'TargetServerName\'\>(?<TargetServerName>[^\<]+).*\<Data Name\=\'ProcessId\'\>(?<ProcessId>[^\<]+).*\<Data Name\=\'ProcessName\'\>(?<ProcessName>[^\<]+).*\<Data Name\=\'IpAddress\'\>(?<IpAddress>[^\<]+).*"

that you can test at https://regex101.com/r/ljtkar/1

Ciao.

Giuseppe

gcusello · ‎02-08-2023

Hi @Pundittech,

could you share some sample of your data, highlighting the values to extract?

Ciao.

Giuseppe

How to extract usernames from Windows event log 4648 in Splunk?

field extraction

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk