Refine your search:

Missing Event details when trying to Extract Fields from an Active Directory event

1

I have the following raw AD event which I can see from my search:

08/16/2010 12:55:56.0110
dcName=w2k3r2.demo.dev
admonEventType=Update
Names:
    objectCategory=CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=demo,DC=dev
    name=bsmith
    displayName=$CimsUserVersion2
    distinguishedName=CN=bsmith,CN=Users,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=demo,DC=dev
    cn=bsmith
Object Details:
    objectGUID=cffb0829-0642-134c-2ef1-f03cc696e10b
    whenChanged=20100816195556.0Z
    whenCreated=20070906020209.0Z
    objectClass=top|leaf|connectionPoint|serviceConnectionPoint
Event Details:
    uSNChanged=127046
    uSNCreated=14129
    instanceType=4
Additional Details:
    keywords=foo:1111|bar:3333|too:3333
    showInAdvancedViewOnly=TRUE

Whenever I try to use the "Extact Fields" UI, the event is truncated after "Event Details" in the "Sample events" frame. What's preventing me from seeing the entire event?

asked 16 Aug '10, 20:17

mpatnode's gravatar image

mpatnode
615
accept rate: 0%

One Answer:
oldestnewestmost voted
1

In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement.

From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)

link

answered 16 Aug '10, 22:55

carasso's gravatar image

carasso ♦♦
3.2k319
accept rate: 45%

Well that explains that. I did figure out how to use 'rex' as a work around. The next question is can I do dynamic field name generation the same way Splunk does? Something like this:

sourcetype="ActiveDirectory" keywords= | rex field=_raw "keywords=(?<_KEY_1>[a-z]):(?<_VALUE_1>[0-9]*)

(17 Aug '10, 01:34) mpatnode

unfortunately, no.

(26 Aug '10, 19:48) carasso ♦♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×352
×47

Asked: 16 Aug '10, 20:17

Seen: 619 times

Last updated: 16 Aug '10, 22:55

Related questions

Automatic field extraction not extracting all the fields from a particular event

What would cause the "date_*" fields to be missing from an event?

Is it possible to extract a field from a transaction event?

extract a field from event source filename

how to extract fields from one event in a log file and append them to other events in same log?

Dynamically extract field names from multiline event

Field extraction tool not showing whole event.

Multi Line Event Field Extraction

Multi-line event field extraction

Copyright © 2005-2012 Splunk, Inc. All rights reserved.