Solved: parsing _internal logs

JohnEGones · ‎10-03-2023

Hi Fellow Splunkers,

Have a hopefully quick question:

Want to pull out the source and host from the Windows _internal splunk logs, but my rex (cribbed from a post on here) isn't working.

index=_internal host IN (spfrd1, spfrd2) source="*\\Splunk\\var\\log\\splunk\\splunkd.log" component=DateParserVerbose 
| rex "Context: source=(?P<sourcetypeissue>\w+)\Shost=(?P<sourcehost>\w+)" 
| stats list(sourcetypeissue) as file_name list(sourcehost)

But I get no stats, my events look like this:

08-24-2022 07:50:20.383 -0400 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Sun Aug 24 07:49:58 2022). Context: source::WMI:WinEventLog:Security|host::SPFRD1|WMI:WinEventLog:Security|1

ITWhisperer · ‎10-03-2023

Try it like this

| rex "Context: source::(?P<sourcetypeissue>\w+)\Shost::(?P<sourcehost>\w+)"

View solution in original post

JohnEGones · ‎10-03-2023

ITWhisperer,

Yeah that doesn't work but now I realize its because there is a file path reference:

source::X:\logs\[some IP]\log123.txt|host::[host]

ITWhisperer · ‎10-03-2023

Try it like this

| rex "Context: source::(?P<sourcetypeissue>\w+)\Shost::(?P<sourcehost>\w+)"

parsing _internal logs

rex

stats

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...