Yeah, you are right. I need use rex command for create a table or stats count I tried this command: index="srgp_members" host="*" | rex max_match=0 field=_raw "(?<GroupName1>\S+)Administrators(?<GroupName2>\S+)" | table GroupName1, GroupName2 But it seems it's incorrect work ... View more

Whole logs is a single event with more rows One log contains rows: "server.peter.fd.com";"Remote Desktop Users";"S-1-5-21-1326131322-1829978501-250757269-1454717";"";"User";"EU1";"S-1-5-21-1326131322-1829978501-250757269-1454717" "server.peter.fd.com";"";"$AT";"";"user";"domain";"S-1-5-21-1326131322-1829978501-250757269-1584230" "server.peter.fd.com";"";"$OZ";"";"user";"domain";"S-1-5-21-1326131322-1829978501-250757269-1570766" "server.peter.fd.com";"";"$TS";"";"user";"domain";"S-1-5-21-1326131322-1829978501-250757269-1505491" "server.peter.fd.com";"";"$TH";"";"user";"domain";"S-1-5-21-1326131322-1829978501-250757269-1083479" "server.peter.fd.com";"";"$SS";"";"user";"domain";"S-1-5-21-1326131322-1829978501-250757269-1528479" ... View more

It's solution doesn't work ... View more

The script contains a code; setlocal enabledelayedexpansion set d=%date:~0,2% set m=%date:~3,2% set y=%date:~6,4% if %d:~0,1%==0 set d=%d:~1% if %m:~0,1%==0 set m=%m:~1% set /a feb=y%%4 if %feb%==0 (set feb=29) else (set feb=28) set /a tok=m-1 if %tok%==0 set tok=12 for /f "tokens=%tok%" %%i in ("31 %feb% 31 30 31 30 31 31 30 31 30 31") do ( :: минус 1 month set /a m-=1 set /a m-=1 if !d!==0 ( set d=%%i set m=%tok% if !m!==12 set /a y-=1 ) ) set d=0%d% set m=0%m% set lastmonth=%y%-%m:~-2% echo %lastmonth% > out.txt ... View more

Thank you! ... View more

Where I can enter this command? ... View more

I found what I need! Thank you nittala_surya that you gave the right way for exploration 🙂 rex max_match=0 field=_raw "(?:Number\sof\sFailed\sLogins\:)?[\r\n]\s+(?<Failed_login>\S+)\s\-(?!.*AUTHENTICATION)\D+(?<IPs>[A-z0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\s\-(?!.*AUTHENTICATION)\s+(?<DNS>[A-z0-9]+\.[A-z0-9]+\.[A-z0-9]+\.[A-z0-9]+)\s\-\s(?<Count>\w+)" | rex field=_raw "(?<Servers>\w+)\\s.+[^AUTHENTICATION]" | rename Failed_login as "Failed Login" | table "Failed Login", Servers, IPs, DNS, Count ... View more

It seems works! Thank you very much! Maybe you can help me with extract amount of event. It 's last digit(s) in each row. For example: Log_chat - - xx.xxx.xxx.xxx - server01.citytown01.alls.com - 73 73 is an amount of event I tried this code but it's incorrect extract: rex max_match=0 field=_raw "(?<Count_Login_Failed>\w+)\n+(?!.*AUTHENTICATION)" ... View more

nittala_surya below your post help me! Thank you! Sorry, I didn't realize that the regex should be adjusted. Give this a shot: Failed logins: rex max_match=0 field=_raw "(?:Number\sof\sFailed\sLogins:)?[\r\n]\s+(?\S+)\s-(?!.*AUTHENTICATION)" | table Failed_login Success logins: rex max_match=0 field=_raw "(?:Number\sof\sSuccess\sLogins:)?[\r\n]\s+(?\S+)\s-.*AUTHENTICATION" | table Success_login ... View more

It seems works! Thank you very much! Maybe help me with extract amount of event. It 's last digit(s) in each row. For example: Log_chat - - xx.xxx.xxx.xxx - server01.citytown01.alls.com - 73 73 is an amount of event I tried this code but it's incorrect extract: rex max_match=0 field=_raw "(?<Count_Login_Failed>\w+)\n+(?!.*AUTHENTICATION)" ... View more

The same 😞 Didn't help I tried rex max_match=0 field=_raw "Number of Failed Logins:\s+(?P<Failed_Login>\S+)+[^AUTHENTICATION]" | table Failed_Login ... View more

I tried this one for extract failed logon exact: rex "Number of Failed Logins:\s+(?P<Failed_Login>\S+)+[^AUTHENTICATION]" | table Failed_Login But it's extract only first failed logon in log. But I have more then 2 or 3 rows with Failed logons. Help please. ... View more

Hi, I tried this one your_search | rex field=_raw "(?\w+)\Login.+AUTHENTICATION" | rex field=_raw "(?\w+)\Login.+[^AUTHENTICATION]" But it extraction only one first row with account name ... View more

Yeah, I have installed Windows TA And that App have whitelist. I am talking about event code 4625. In message below it's pasted. But in splunk I want create a table with Account Name only. I am using now that rex: source="WinEventLog:Sec*" index="wineventlog" host=xxx02055 EventCode=4625 | rex "Account For Which Logon Failed:\s+Security\sID:\s+\S(.......)\s+Account Name:\s+(?\S+)" | eval CDSID=UserName | rename host as Host EventCode as "Event Code" | stats count by CDSID and it extract: CDSID count AGALYSHE 1 EKOSTYUK 2 RKHAMIDU 2 Skuzmina 1 sroschin But I don't like this S(.......) because in the eventcode maybe more symbols then I pointed in (). How can I set anymore symbols in () where can be before s+Account Name ? ... View more

ANd I have one thing with event 4625. How can I extract only Account Name with non "_" LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=xxx02055.chelny.fo.com TaskCategory=Logon OpCode=Info RecordNumber=38692156 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: RKHAMIDU Account Domain: FOR00001 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: xxx02055 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. As log belowI need extract only the second Account Name with Login: RKHAMIDU I tried for below log this rex (?ms)Account Name:\s+\S but it delte first symbol of login 😞 And I see in a spunk login as KHAMIDU instead RKHAMIDU ... View more

I need extract all Logins: FOR0001\Login114 Log_chat NT AUTHORITY\SYSTEM FOR0001\Login112 1SSA SQLLSS01 FOR0001\Login118 ... View more

So, I can start bat file, But I have another issue now. Bat file start ok when I start it by myself. When I restart UF, he try to start bat file. AS per splunkd.log it start then create a files but after some jobs with those files the files doesn't copy to folder where located UF. If I start again by myself, the csript will do all jobs which indicated in bat file. It seems that universal forward can't do any command in bat file or maybe UF need additional NTFS permission. How can I check this? I can't see any error info in splunkd.log ... View more

The second link doesn't work Regarding first link, I tried and it works but doesn't work with my code 😞 ... View more

So, I tried to use this code: [script://$SPLUNK_HOME\etc\apps\SQL_Failed_logon\bin\script\LogCheck.bat] disabled = 0 interval = 300 sourcetype = SQL_Audit and if I insert a code into LogChecked.bat as: echo This is a test > "C:\Program Files\Splunk\var\log\splunk\test.txt" echo 123 >> "C:\Program Files\Splunk\var\log\splunk\test.txt" echo 245.67 >> "C:\Program Files\Splunk\var\log\splunk\test.txt" It.s work fine. But if I insert a code into LogChecked.bat as: @Echo Off SetLocal EnableExtensions EnableDelayedExpansion For /F "Delims=" %%I In ('Hostname') Do Set V=%%~I setlocal enabledelayedexpansion set d=%date:~0,2% set m=%date:~3,2% set y=%date:~6,4% if %d:~0,1%==0 set d=%d:~1% if %m:~0,1%==0 set m=%m:~1% set /a feb=y%%4 if %feb%==0 (set feb=29) else (set feb=28) set /a tok=m-1 if %tok%==0 set tok=12 for /f "tokens=%tok%" %%i in ("31 %feb% 31 30 31 30 31 31 30 31 30 31") do ( :: минус 1 month set /a m-=1 set /a m-=1 if !d!==0 ( set d=%%i set m=%tok% if !m!==12 set /a y-=1 ) ) set d=0%d% set m=0%m% set lastmonth=%y%-%m:~-2% @copy "\%V%\SQLLOGS$\ERRORLOG." errorlog..%V% /Z @find "%lastmonth%" Errorlog..%V% > out2.%V% @find "%lastmonth%" Errorlog.1.%V% >> out2.%V% @find "%lastmonth%" Errorlog.2.%V% >> out2.%V% @find "%lastmonth%" Errorlog.3.%V% >> out2.%V% @find "%lastmonth%" Errorlog.4.%V% >> out2.%V% @find "%lastmonth%" Errorlog.5.%V% >> out2.%V% @find "%lastmonth%" Errorlog.6.%V% >> out2.%V% @find "%lastmonth%" Errorlog.7.%V% >> out2.%V% @find "%lastmonth%" Errorlog.8.%V% >> out2.%V% @find "%lastmonth%" Errorlog.9.%V% >> out2.%V% @find "%lastmonth%" Errorlog.10.%V% >> out2.%V% @find "%lastmonth%" Errorlog.11.%V% >> out2.%V% @find "%lastmonth%" Errorlog.12.%V% >> out2.%V% @find "%lastmonth%" Errorlog.13.%V% >> out2.%V% @find "%lastmonth%" Errorlog.14.%V% >> out2.%V% @find "%lastmonth%" Errorlog.15.%V% >> out2.%V% @find "%lastmonth%" Errorlog.16.%V% >> out2.%V% @find "%lastmonth%" Errorlog.17.%V% >> out2.%V% @find "%lastmonth%" Errorlog.18.%V% >> out2.%V% @find "%lastmonth%" Errorlog.19.%V% >> out2.%V% @find "%lastmonth%" Errorlog.20.%V% >> out2.%V% @find "%lastmonth%" Errorlog.21.%V% >> out2.%V% @find "%lastmonth%" Errorlog.22.%V% >> out2.%V% @find "%lastmonth%" Errorlog.23.%V% >> out2.%V% @find "%lastmonth%" Errorlog.24.%V% >> out2.%V% @find "%lastmonth%" Errorlog.25.%V% >> out2.%V% @find "%lastmonth%" Errorlog.26.%V% >> out2.%V% @find "%lastmonth%" Errorlog.27.%V% >> out2.%V% @find "%lastmonth%" Errorlog.28.%V% >> out2.%V% @find "%lastmonth%" Errorlog.29.%V% >> out2.%V% @find "%lastmonth%" Errorlog.30.%V% >> out2.%V% @find "%lastmonth%" Errorlog.31.%V% >> out2.%V% @find "%lastmonth%" Errorlog.32.%V% >> out2.%V% @find "%lastmonth%" Errorlog.33.%V% >> out2.%V% @find "%lastmonth%" Errorlog.34.%V% >> out2.%V% @find "%lastmonth%" Errorlog.35.%V% >> out2.%V% @find "%lastmonth%" Errorlog.36.%V% >> out2.%V% @find "%lastmonth%" Errorlog.37.%V% >> out2.%V% @find "%lastmonth%" Errorlog.38.%V% >> out2.%V% @find "%lastmonth%" Errorlog.39.%V% >> out2.%V% @find "%lastmonth%" Errorlog.40.%V% >> out2.%V% @find "%lastmonth%" Errorlog.41.%V% >> out2.%V% @find "%lastmonth%" Errorlog.42.%V% >> out2.%V% @find "%lastmonth%" Errorlog.43.%V% >> out2.%V% @find "%lastmonth%" Errorlog.44.%V% >> out2.%V% @find "%lastmonth%" Errorlog.45.%V% >> out2.%V% @find "%lastmonth%" Errorlog.46.%V% >> out2.%V% @find "%lastmonth%" Errorlog.47.%V% >> out2.%V% @find "%lastmonth%" Errorlog.48.%V% >> out2.%V% @find "%lastmonth%" Errorlog.49.%V% >> out2.%V% @find "%lastmonth%" Errorlog.50.%V% >> out2.%V% @find "Logon" out2.%V% > out.%V% @del out2.* MonthREport2005.exe %lastmonth% out.%V% outlog%V%.txt %V% 2008 @type outlog%V%.txt >> SumLog.txt @del Errorlog* @del outlog%V%.txt :@del out.* It doesn't work. How can I check what happened in splunk and why this is not work? If I start this code throught cmd it works. ... View more

I tried this: [script://$SPLUNK_HOME/etc/apps/SQL_Failed_logon/bin/script/log.bat] disabled = 0 interval = 300 index = werrorindex sourcetype = sql_audit But it didn't help I created a log.bat for test with simple code: echo This is a test > "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt" echo 123 >> "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt" echo 245.67 >> "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt" ... View more