×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
enymanu
New Member
Member since: ‎03-10-2020
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-10-2020
View All

Re: Extracting multiple values in a Splunk Search

by in Splunk Enterprise Security
‎03-11-2020 04:54 PM
‎03-11-2020 04:54 PM
This works fine but it slow. Is there away it can be accelerated ... View more

Re: Extracting multiple values in a Splunk Search

by in Splunk Enterprise Security
‎03-11-2020 07:19 AM
‎03-11-2020 07:19 AM
This is my updated search. It is not filtering the properties. sourcetype=wineventlog (EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR Object_Type="domainDNS")) OR (EventCode="4624" session_id!="NT AUTHORITY" Account_Domain!="Window Manager") | rex max_match=0 "^%" | search (guid="{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}" OR guid = "{9923a32a-3607-11d2-b9be-0000f87a36b2}" OR guid = "{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}") ... View more

Extracting multiple values in a Splunk Search

by in Splunk Enterprise Security
‎03-10-2020 10:36 AM
‎03-10-2020 10:36 AM
**Hi All, I need help extracting {0000000-0000-0000-0000-000000000000} and {0000000-0000-0000-0000-000000000000} from the log sample below during search. This is what i have so far: sourcetype=wineventlog EventCode="4662" Account_Name="\$" Access_Mask=0x100 (Object_Type="%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" OR ObjectT_ype="domainDNS") | rex field=Message "Properties: (?P[^\s]+) {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} " | rex field=Message "Properties: (?P[^\s]+) {9923a32a-3607-11d2-b9be-0000f87a36b2} " | rex field=Message "Properties: (?P[^\s]+) {1131f6ac-9c07-11d1-f79f-00c04fc2dcd2} " Please help me fix this search.* LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=gghasfv.net TaskCategory=Directory Service Access OpCode=Info RecordNumber=0000000 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: S-1-5-21-0000000-0000-0000-0000-000000000000 Account Name: NAME$ Account Domain: GOAL Logon ID: GOAL Object: Object Server: DS Object Type: %{0000000-0000-0000-0000-000000000000} Object Name: %{0000000-0000-0000-0000-000000000000} Handle ID: Operation: Operation Type: Object Access Accesses: Control Access Access Mask: 0x100 Properties: Control Access {0000000-0000-0000-0000-000000000000} {0000000-0000-0000-0000-000000000000} Additional Information: Parameter 1: Parameter 2 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM