Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search a Multiline event using rex at searchtime?

I-Man
Communicator
‎02-08-2011 10:04 PM

Hey Splunkers,

I cannot get the following rex statement to match in Splunk. I read that using (?m) in the transforms.conf file will match multiline events however I am having trouble getting this to work at searchtime. Actually, I dont even know if this will work at search time.

index=security EventCode=1234 OR EventCode=123 
| rex field=_raw 
    "(?m)Target\sAccount.*\r\n\tSecurity.*\r\n\tAccount\sName\:\t\t (?<Foobar>.*)"

Please let me know if this would work...

Regardless, we have events that have a field of "Account Name". After which, there is another "Account Name" that isn't being made into a field. The data after the second Account Name is what we are trying to grab. Example:

Subject:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       admin
    Account Domain:     dom
    Logon ID:       xxxxxxxxxx

Target Account:
    Security ID:        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Account Name:       bigadmin
    Account Domain:     dom

Any better ideas on how to do this? Thanks in advance!

I-Man

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 07:49 AM

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 07:49 AM

You can do exactly that with mvindex. This function allows you to pick which value of a multi-valued field you would like to take. I'll show a search using -1 as the index value, since this will always pick the last value. Using the following search will take the last "Account_Name" and place it in a field called user for each event:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1)

Cheers,
ron

P.S. If you want to verify that the user field is picking up the correct values, try this search which will list the Account_Name(s) and user fields side-by-side:

Account_Name="*" EventCode="4624" | eval user=mvindex(Account_Name,-1) | table Account_Name user
Reply
Solved! Jump to solution

I-Man
Communicator
‎02-10-2011 01:25 PM

Exactly what I was looking for. Thanks ron!!!

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-08-2011 10:29 PM

If you have the Windows app installed, Splunk should automagically extract both account names from the log entries. Select Account_Name in the "Pick Fields" and search for something like this:

Account_Name=* EventCode="4624"

You'll notice that under each event that has multiple account names, you'll see both entries:

Account_Name=- | Account_Name=SYSTEM

You don't need the (?m). The RegEx was not correct prior to being edited, but you shouldn't need to use one.

Cheers

Reply
Solved! Jump to solution

I-Man
Communicator
‎02-09-2011 01:09 PM

Thanks much for the response ron. Is there anyway to only grab the second account name and ignore the first instance?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...