Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- struggle with RegEx field extraction on a Windows ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey - I'm taking my first steps on extracting fields with RegEx and can't seem to get this one working .. any help would be appriciated
The events look like this:
12/10/2019 07:40:23 AM
LogName=ARAdminService
SourceName=ARAdminSvc
EventCode=1521
EventType=4
Type=Information
ComputerName=wmidcars73.idexcorpnet.com
User=NOT_TRANSLATED
Sid=S-1-5-21-2094280246-649338158-1033845588-46148
SidType=0
TaskCategory=ScheduledTask
OpCode=Info
RecordNumber=11331718
Keywords=Classic
Message=Scheduled task has reported an event.
Task ID: 089546a0-3a4b-4b66-9e4e-43bc9a1f48a6
Object name: Exo-Process-Changes
Start date: 12/10/2019
Start time: 7:40:00 AM
Script module: Exo-Process-Changes
Task execution was completed
And want to get that very last line, and put it in a "task_status" field.
This is my RegEx (well.. one of 20 I tried)
Script module: .*[\n\s\r]*(?<task_status>[^\n\r]*)
So I'm basically looking for that "Script module:" line, and want to take the next line that comes after the line breaks and white spaces.
I used a similar, yet more complex RegEx to extract multiple fields from a different event log, and that worked fine. So I don't get what's wrong with this one.
Just using the field extractor wizard would be great, too, but it seems that my events are longer (line count) than the field extractor can work with.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m) at the beginning of your rex extraction. Try this:
rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand correctly, you want to capture both the text after the Script Module, and the text line after that. Here is one way to do it:
(your search)
| rex "Script module: (?<scriptModule>.*)\W\W\W\s(?<lastLine>[\W\w]+)$"
Here is the regex101: https://regex101.com/r/YpqNbx/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you - I was not looking for the script module line, but it works as you specify and I'll keep that in my notes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m) at the beginning of your rex extraction. Try this:
rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks - that works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
testing back and forth and the (?m) does not seem to be required - but with or without, your rex works
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
