Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiline events with fields with same name (Windows 2008 logs)

bojanz
Communicator
‎08-30-2010 10:34 AM

With Windows 2008 (and Vista) event logs are now much more detailed, however there are some problems with multiple fields which have same names, for example like this:

Subject:  
    Security ID:        S-1-5-18  
    Account Name:       CALLISTO$  
    Account Domain:     DEMO  
    Logon ID:       0x3e7  

Logon Type:         10  

Account For Which Logon Failed:  
    Security ID:        S-1-0-0  
    Account Name:       Administrator  
    Account Domain:     DEMO

Now, I want to extract only the second "Account Name" field. Splunk automatically extracts both of them, but I want to graph only the second. Any idea how to do it on multiline events like this? I tried with rex and regex but with no success 😞

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 01:18 PM

You may be able to prevent splunk from extracting the first value, but there may be times when you'll want the first value but not the second. So perhaps an easier way would be to tell splunk just to grab that second value for your search. Since you always know that you want the second value, you can use an eval statement in your search like this:

sourcetype=WinEventLog:Security "Logon Failed" | eval login_account=mvindex(Account_Name,1) | timechart count by login_account

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-30-2010 01:18 PM

You may be able to prevent splunk from extracting the first value, but there may be times when you'll want the first value but not the second. So perhaps an easier way would be to tell splunk just to grab that second value for your search. Since you always know that you want the second value, you can use an eval statement in your search like this:

sourcetype=WinEventLog:Security "Logon Failed" | eval login_account=mvindex(Account_Name,1) | timechart count by login_account
Reply
Solved! Jump to solution

bapruski
Explorer
‎05-15-2012 08:05 AM

How would you evaluate the Account_Name if in some cases it has only one value (event 4768, 4769) and in some it has two (event 4624)?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...