Refine your search:

How to search a Multiline event using rex at searchtime?

2

Hey Splunkers,

I cannot get the following rex statement to match in Splunk. I read that using (?m) in the transforms.conf file will match multiline events however I am having trouble getting this to work at searchtime. Actually, I dont even know if this will work at search time.

index=security EventCode=1234 OR EventCode=123 
| rex field=_raw 
    "(?m)Target\sAccount.*\r\n\tSecurity.*\r\n\tAccount\sName\:\t\t (?<Foobar>.*)"

Please let me know if this would work...

Regardless, we have events that have a field of "Account Name". After which, there is another "Account Name" that isn't being made into a field. The data after the second Account Name is what we are trying to grab. Example:

Subject:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       admin
    Account Domain:     dom
    Logon ID:       xxxxxxxxxx

Target Account:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       bigadmin
    Account Domain:     dom

Any better ideas on how to do this? Thanks in advance!

I-Man

asked 08 Feb '11, 22:04

I-Man's gravatar image

I-Man
275110
accept rate: 21%

edited 08 Feb '11, 22:39

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
2 Answers:
oldestnewestmost voted
1

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user
link

answered 10 Feb '11, 07:49

Ron%20Naken's gravatar image

Ron Naken
3.0k320
accept rate: 35%

edited 10 Feb '11, 08:03

Exactly what I was looking for. Thanks ron!!!

(10 Feb '11, 13:25) I-Man
2

If you have the Windows app installed, Splunk should automagically extract both account names from the log entries. Select Account_Name in the "Pick Fields" and search for something like this:

Account_Name=* EventCode="4624"

You'll notice that under each event that has multiple account names, you'll see both entries:

Account_Name=- | Account_Name=SYSTEM

You don't need the (?m). The RegEx was not correct prior to being edited, but you shouldn't need to use one.

Cheers

link

answered 08 Feb '11, 22:29

Ron%20Naken's gravatar image

Ron Naken
3.0k320
accept rate: 35%

edited 08 Feb '11, 22:51

Thanks much for the response ron. Is there anyway to only grab the second account name and ignore the first instance?

(09 Feb '11, 13:09) I-Man
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×108
×68

Asked: 08 Feb '11, 22:04

Seen: 724 times

Last updated: 10 Feb '11, 08:03

Related questions

Translate GUID in Windows Event Log during Searchtime?

building a search on windows event security logs

help to capture with rex an event

Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

Missing Windows Event Logs?

Monitoring Windows Hyper-V Event Logs

Help extracting multiline events using rex

How do I route locally collected Windows event logs to a custom index?

Windows 2008 Server Event Viewer Logs

Copyright © 2005-2012 Splunk, Inc. All rights reserved.