Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

searching fields that have multiple lines by using \n or \r\n doesn't work but using <enter> does

smartalik
Engager
‎09-09-2020 09:43 PM

I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across multiple lines.

So we are dealing with windows events. index=wineventlog source=wineventlog:security EventCode=4624.

I have an extracted field (from windows infrastructure app) called member_id. This contains two values which seem to be separated by a new line as they are vertically stacked and looks like when listed in stats or tables:

NULL SID
NT AUTHORITY\SYSTEM

This below search will match the events I'm after correctly:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"

However this does not work:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\nNT AUTHORITY\\SYSTEM"

and neither does this:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\r\nNT AUTHORITY\\SYSTEM"

or
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\n\rNT AUTHORITY\\SYSTEM"

In my inputs.conf file I have tried the following and it is not working. I suspect because the blacklist is not expecting to span multiple lines and doesn't know where to start and end.

inputs.conf (for the universal forwarder on the windows endpoint)
[WinEventLog://Security]
disabled = 0
blacklist = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"
blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$"

My Google fu has failed me and I don't seem to be able to find out how to do this. I hope some Splunk Guru will be able to help me solve this.

Thanks in advance,

 

Sean

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 10:10 PM

There is proper doc for blacklist and whitelist syntax. The below blacklist will not work the way splunk search works. you need to replace blacklist as examples given in below doc:

blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$" 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/MonitorWindowseventlogdata#Create_advanced_f...

Below are the examples to give an idea how blacklist works in UF inputs.conf for windows events:

 

#to blocklist EventCode=4663 completely
blacklist1 = EventCode=%^4663$%

#to blocklist specified process(tomcat9.exe) captured under Message from event code 4663
#blacklist2 = EventCode = "4663" Message = "Process Name:\s+D:\\app\\application\\Tomcat\\bin\\Tomcat9.exe"

 

Like EventCode and Message in above examples, Splunk accepts only keys mentioned in above given doc.

————————————
If this helps, give a like below.
Reply

smartalik
Engager
‎09-09-2020 11:19 PM

Thank you thambisetty for your quick response, however I am only using key=value pairs in there, unless you can point out where I'm not? It's just one of the values for the key member_id has a newline char (or something) and I'm not able to match that in a single line with a \n or \r\n. 

Regards,

 

Sean

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-10-2020 12:13 AM

please provide sample _raw event to give you exact solution

————————————
If this helps, give a like below.
0 Karma
Reply

smartalik
Engager
‎09-09-2020 11:21 PM

Sorry only SOME key=value pairs are allowed. I'll look into that further, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...