Solved: using transforms,conf to filter events with two co...

hartfoml · ‎10-18-2011

I have this regex expresion:

REGEX = (?m)^EventCode=(4674)|(ServerName\$)

This works great to identify the two conditions useing the "http://gskinner.com/RegExr/" tool

When I turn it on useing Props.conf to identify the server and transforms.conf to identify the two conditions it blocks all EventCode=4674, not just the ones with "ServerName$" in the event

Is there a better tool than "http://gskinner.com/RegExr/" to test Regex

Sorry All

I do have the escape carecter in the regex befor the $. it was a typo.

REGEX = (?m)^EventCode=(4674)|(ServerName\$)

hartfoml · ‎10-18-2011

I must be doing something wrong becasue this works in the regexpal tool too.

Here is the event snipit:

SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=Servername.domain.com
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=29387782
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
Subject:
Security ID: S-1-5-20
Account Name: ServerName$
Account Domain: Domain
Logon ID: 0x3e4

When I use the REGEX "EventCode=(4674)|(ServerName\$)" the tool finds both contitions

Maybe it is finding the first OR the second.

The regex to find both like EventCode=(4674).+(ServerName\$) does not find either condition

View solution in original post

hartfoml · ‎10-18-2011

I tried what you posted and I got this
![alt text][1]

Sorry tried to upload the immage not working

hartfoml · ‎10-18-2011

Also if I use this at the search line it works but I don't know how to turn this into a REGEX for the Transforms.conf

host=ServerName | regex _raw=(?m)^EventCode=(4674) | regex _raw=(ServerName\$)

Thanks for the help

hartfoml · ‎10-18-2011

I must be doing something wrong becasue this works in the regexpal tool too.

Here is the event snipit:

SourceName=Microsoft Windows security auditing.
EventCode=4674
EventType=0
Type=Information
ComputerName=Servername.domain.com
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=29387782
Keywords=Audit Success
Message=An operation was attempted on a privileged object.
Subject:
Security ID: S-1-5-20
Account Name: ServerName$
Account Domain: Domain
Logon ID: 0x3e4

When I use the REGEX "EventCode=(4674)|(ServerName\$)" the tool finds both contitions

Maybe it is finding the first OR the second.

The regex to find both like EventCode=(4674).+(ServerName\$) does not find either condition

hartfoml · ‎10-19-2011

You were right I was wrong I was able to use your suggestion and I was able to find out what I was doing wrong with the tester

This was the answer and thanks very much for your help

Ayn · ‎10-18-2011

So you're saying it doesn't work? I just tried it in RegExr and it works as it should.

hartfoml · ‎10-18-2011

Thanks for trying

I will open a case with Splunk to get this resolved

Thanks again

Ayn · ‎10-18-2011

(?s)EventCode=(4674).+?(ServerName\$)

hartfoml · ‎10-18-2011

Can you show me an example

I tried this "EventCode=(4674).+?(ServerName\$)"

And it did not work

Ayn · ‎10-18-2011

You need the (?s) modifier to make . match newlines.

Ayn · ‎10-18-2011

Well the | character is an OR operator, so I'm a but surprised that it is working properly in RegExr (though it is an excellent tool, so I'm not brave enough to say that it is absolutely wrong and I'm right).

If you're searching for events that contain the EventCode first AND then the ServerName at the end, you should be using something like ".+" or ".+?" in your regex instead of "|".

As for other regex sites, I always liked http://regexpal.com/ .

using transforms,conf to filter events with two conditions

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases