Splunk Search

struggle with RegEx field extraction on a Windows Event log

feichinger
Path Finder

Hey - I'm taking my first steps on extracting fields with RegEx and can't seem to get this one working .. any help would be appriciated

The events look like this:

12/10/2019 07:40:23 AM
LogName=ARAdminService
SourceName=ARAdminSvc
EventCode=1521
EventType=4
Type=Information
ComputerName=wmidcars73.idexcorpnet.com
User=NOT_TRANSLATED
Sid=S-1-5-21-2094280246-649338158-1033845588-46148
SidType=0
TaskCategory=ScheduledTask
OpCode=Info
RecordNumber=11331718
Keywords=Classic
Message=Scheduled task has reported an event. 

Task ID: 089546a0-3a4b-4b66-9e4e-43bc9a1f48a6 

Object name: Exo-Process-Changes 

Start date: 12/10/2019 

Start time: 7:40:00 AM 

Script module: Exo-Process-Changes 

Task execution was completed

And want to get that very last line, and put it in a "task_status" field.
This is my RegEx (well.. one of 20 I tried)

Script module: .*[\n\s\r]*(?<task_status>[^\n\r]*)

So I'm basically looking for that "Script module:" line, and want to take the next line that comes after the line breaks and white spaces.
I used a similar, yet more complex RegEx to extract multiple fields from a different event log, and that worked fine. So I don't get what's wrong with this one.

Just using the field extractor wizard would be great, too, but it seems that my events are longer (line count) than the field extractor can work with.

Thanks in advance

0 Karma
1 Solution

wenthold
Communicator

If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m) at the beginning of your rex extraction. Try this:

rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"

View solution in original post

jpolvino
Builder

If I understand correctly, you want to capture both the text after the Script Module, and the text line after that. Here is one way to do it:

(your search)
| rex "Script module: (?<scriptModule>.*)\W\W\W\s(?<lastLine>[\W\w]+)$"

Here is the regex101: https://regex101.com/r/YpqNbx/1

feichinger
Path Finder

thank you - I was not looking for the script module line, but it works as you specify and I'll keep that in my notes

wenthold
Communicator

If you use the Message field I believe the linefeeds will be removed, but just case you can insert the multiline regex modifier (?m) at the beginning of your rex extraction. Try this:

rex field=Message "(?m)Script module:\s*[^\s]+\s*(?<status>.*)"

feichinger
Path Finder

thanks - that works

0 Karma

feichinger
Path Finder

testing back and forth and the (?m) does not seem to be required - but with or without, your rex works

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...