Trying to get these UUID/GUIDs to extract from the message field. Hoping to create a rex to extract everything after 'fieldx: ' in the 8-4-4-4-12 character window separated by each , after that. Ive tried the "extract new fields " but there are well over 120 of these things and splunk doesnt like selecting all of that and filtering keeps throwing errors. And would rather not have to do this one by one.  These are embedded in the message field as stated earlier. Id like to make a new field with the rex if possible and name it "fieldx" Any and all help is welcome.  "message: Filtered marking ids for DAC property 'fieldx': abc12345-b123-c456-d789-123abx789edc, de14fc5e-22av-87dd-65d9-7563a7pleqw3, "(<----there are about 120 more in a row of these) Thanks in advance     ... View more

(This may be Vague because what its on so sorry ) I have lets say 2 servers. The "Splunk" server, and then the "Target" server. There are certain logs on the Target server that im trying to get to report to splunk. And for some reason they just arent going. Tried editing the inputs a few times. I get 2 of the 3 files reporting to splunk but for some reason it wont capture the other one.  Ive tried a few variations on the Inputs.conf file to capture these logs. Not sure if i need to specify the log type in the conf file or if im just being dumb. This is one of those things ive been working on for a while so my mind is mush. So here i am.  There is a "Banner.LogTypeHere" "Host.LogTypeHere" and a "UserDAC.LogTypeHere" I get the Banner and Host to show up but for some reason the UserDAC doesnt populate.  Just some dumb variations ive tried in inputs.  [monitor: %ProgramData%\XXX\XXX\Logs] [monitor: %ProgramData%\XXX\XXX\Logs\*.LogTypeHere] [monitor: c:\ProgramData\XXX\XXX\Log] ... View more

Thanks in Advance,  I have a search setup to see whenever someone access's a certain document. This works just fine, the issue comes with the results. Looking at the Extracted Fields, i get the users "Sid" instead of their username. I do however have Splunk Supporting Add-On for Active Directory, and have it configured. I have a report that pulls a CSV (users.csv) that gives me everyones sAMAccountName as well as their SIDs' and puts it in the location of my Lookup Table.  Trying to figure out how to get the |inputlookup     to compair the search results Sid with my excel doc and give me the AccountName in that specific Row as well. Any help?   I have this ( minus the output to create my users.csv) |ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,objectSid,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval endDate="" |table sAMAccountName,objectSid,displayName,givenName,sn,whenCreated,   and my main search source="WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" NOT %SYSTEM32*   Just need a input to get my results Sid to look at the Excel find the SID in the "objectSid" ( column B ) and give me the sAMAccountName(columnA) into my search results...   IF POSSIBLE! ... View more