Splunk Search

Use eval command to extract from message

jeradb
Explorer
LogName=Application
EventCode=1004
EventType=4
ComputerName=Test.local
User=NOT_TRANSLATED
Sid=S-1-5-21-2704069758-3089908202-2921546158-1104
SidType=0
SourceName=RoxioBurn
Type=Information
RecordNumber=16834
Keywords=Classic
TaskCategory=Optical Disc
OpCode=Info
Message=Date: Wed Feb 28 14:22:59 2024
 Computer Name: COM-HV01
 User Name: Test\test.user
 Writing is completed on drive (E:). Project includes 0 folder(s) and 1 file(s).
 Volume Label: 2024-02-28 
 Volume SN: 0
 Volume ID: \??\Volume{b282bf1c-3dde-11ed-b48e-806e6f6e6963}
 Type: Unknown
 Status Of Media: Appendable,Blank,Closed session
 Files: C:\ProgramData\Roxio Log Files\Test.test.user_20240228142142.txt SHA1: 7c347a6724dcd243d396f9bb5e560142f26b8aa4
 File System: None
 Disc Number: 1
 Encryption: Yes
 User Password: Yes
 Spanned Set: No
 Data Size On Disc Set: 511 Bytes
 Network Volume: No

 

How would I write an eval command to extract User Name: without domain, Status of Media, Data size on disc set, and files from the field Message?  

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jeradb,

you could use a regex, not an eval command like the following:

| rex "User Name: (?<User_Name>[^ \n]+)"

you can test this regex at https://regex101.com/r/gJ0I26/1

But only one question: did you installed the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742)?

using this add-on you should already have this field extracted without using a custom regex.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jeradb,

you could use a regex, not an eval command like the following:

| rex "User Name: (?<User_Name>[^ \n]+)"

you can test this regex at https://regex101.com/r/gJ0I26/1

But only one question: did you installed the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742)?

using this add-on you should already have this field extracted without using a custom regex.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jeradb,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...