×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
SaqibRaheem
New Member
Member since: ‎04-01-2019
‎09-24-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-01-2019
View All

Re: How to extract info from the middle of the mul...

by in Knowledge Management
‎02-21-2020 10:12 AM
‎02-21-2020 10:12 AM
Hello, Thanks for you help I tried the regex code but not returning the desire result if will be nice if we can do via regex This give back all the information index="wineventlog" EventCode=2889 when I add the regex to this still the same info not sure if this makes the difference all the information is under "Message" field we just need to pull from Message and one "ComputerName= server001" field from top 1st line is header and below will be data Client IP address: Identity the client attempted to authenticate as: ComputerName 10.10.00.10 Test\SVC_testLDAP server001 Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 10.10.00.10:34567 Identity the client attempted to authenticate as: Test\SVC_testLDAP Binding Type: 3 else i will try Splunk Filed Extraction thanks again for help ... View more

How to extract info from the middle of the multi l...

by in Knowledge Management
‎02-20-2020 08:54 PM
‎02-20-2020 08:54 PM
For this use case see the message below we like to extract is . I can extract this 1st part ok but can not extract the 2nd part Needed information from Event ID message: Ist part --Header--- --Data Results -- Account Name: test01 New Process Name: C:\Program Files\WinZip\Utils ComputerName= server001 2nd Part This is the only information we need from the multi line error message Client IP address: 10.10.00.10:34567 Identity the client attempted to authenticate as: Test\SVC_testLDAP =================================== See Event ID error below as an example: LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4888 EventType=0 Type=Information ComputerName= server001 TaskCategory=Process Creation OpCode=Info RecordNumber=934605653 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: test01 Account Domain: Test Logon ID: 12345test Target Subject: Security ID: NULL SID Account Name: Test Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2030 New Process Name: C:\Program Files\etc\zip.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0ss0x Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 10.10.00.10:34567 Identity the client attempted to authenticate as: Test\SVC_testLDAP Binding Type: 3 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-24-2020 03:01 PM