Splunk Search

searching fields that have multiple lines by using \n or \r\n doesn't work but using <enter> does

smartalik
Engager

I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across multiple lines.

So we are dealing with windows events. index=wineventlog source=wineventlog:security EventCode=4624.

I have an extracted field (from windows infrastructure app) called member_id. This contains two values which seem to be separated by a new line as they are vertically stacked and looks like when listed in stats or tables:

NULL SID
NT AUTHORITY\SYSTEM

This below search will match the events I'm after correctly:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"

However this does not work:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\nNT AUTHORITY\\SYSTEM"

and neither does this:
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\r\nNT AUTHORITY\\SYSTEM"

or
index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\n\rNT AUTHORITY\\SYSTEM"

In my inputs.conf file I have tried the following and it is not working. I suspect because the blacklist is not expecting to span multiple lines and doesn't know where to start and end.

inputs.conf (for the universal forwarder on the windows endpoint)
[WinEventLog://Security]
disabled = 0
blacklist = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
NT AUTHORITY\\SYSTEM"
blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$"

My Google fu has failed me and I don't seem to be able to find out how to do this. I hope some Splunk Guru will be able to help me solve this.

Thanks in advance,

 

Sean

0 Karma

thambisetty
SplunkTrust
SplunkTrust

There is proper doc for blacklist and whitelist syntax. The below blacklist will not work the way splunk search works. you need to replace blacklist as examples given in below doc:

blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID
<Redacted>\\<Redacted>$" 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/MonitorWindowseventlogdata#Create_advanced_f...

Below are the examples to give an idea how blacklist works in UF inputs.conf for windows events:

 

#to blocklist EventCode=4663 completely
blacklist1 = EventCode=%^4663$%

#to blocklist specified process(tomcat9.exe) captured under Message from event code 4663
#blacklist2 = EventCode = "4663" Message = "Process Name:\s+D:\\app\\application\\Tomcat\\bin\\Tomcat9.exe"

 

Like EventCode and Message in above examples, Splunk accepts only keys mentioned in above given doc.

————————————
If this helps, give a like below.

smartalik
Engager

Thank you thambisetty for your quick response, however I am only using key=value pairs in there, unless you can point out where I'm not? It's just one of the values for the key member_id has a newline char (or something) and I'm not able to match that in a single line with a \n or \r\n. 

Regards,

 

Sean

0 Karma

thambisetty
SplunkTrust
SplunkTrust

please provide sample _raw event to give you exact solution

————————————
If this helps, give a like below.
0 Karma

smartalik
Engager

Sorry only SOME key=value pairs are allowed. I'll look into that further, thanks.

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...