Splunk Search

Using rex command to extract Message field in Windows Event Logs

Alfred
Explorer

I want to extract from the Message field in the Windows Event Log just the first few words until the period - example would be:

Message=A user account was unlocked. Subject: Security ID: xxxxxxxxxxxxxxxx Account Name: xxxxxxxxxx Account Domain: xxxxxxxxx Logon ID: xxxxxxxxxx Target Account: Security ID: xxxxxxxxxxxxxx-xxxxxxxx Account Name: xxxxxxxxxx Account Domain: xxxxxxxxxx

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Builder

Hi @Alfred 

yes, you can use a table comand after the rex comand

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)" | table message

rex comand can extract fields in search time

If you want define the extraction at index time you can put the regex expression on the props.conf file

Example

[your sourcetype]
EXTRACT-message =  (Message=(?<message>[a-zA-z ].*)Subject)

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Exampleconfigurationswithprops.conf

 

 

View solution in original post

0 Karma

Alfred
Explorer

That solved it - Thanks for all your help 

 

0 Karma

aasabatini
Builder

Hi @Alfred 

the best way to extract these fields is:

the key value automatic extraction

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Automatickey-valuefieldextractionsatsea...

anyway if you need a rex for other reason this is a good way to extract the message field

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)"
0 Karma

Alfred
Explorer

Thanks aasabatini ...  my goal is as follows : 

in the Message ( extracted) field I need to table only the first sentence instead of the whole message   - your rex command seem to be correct but applying it did not change the Message output in the query , I still see the whole message 

0 Karma

Alfred
Explorer

I found an extraction created after running the rex command you sent -  called "name " - I wonder if I can give a name to the rex extraction ... so I can call it in a table 

 

0 Karma

aasabatini
Builder

Hi @Alfred 

yes, you can use a table comand after the rex comand

| rex field=_raw "(Message=(?<message>[a-zA-z ].*)Subject)" | table message

rex comand can extract fields in search time

If you want define the extraction at index time you can put the regex expression on the props.conf file

Example

[your sourcetype]
EXTRACT-message =  (Message=(?<message>[a-zA-z ].*)Subject)

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Exampleconfigurationswithprops.conf

 

 

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.