Splunk Search

Extract multiple lines from search output

kkossery
Communicator

Experts,

I have a Event Log output using the search string

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"

The output would be, after truncating it,

10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success

etc. for each event code ID.

I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,

(?<EveID>EventCode\S+)

That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.

Thank you.

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Something like this might do the job:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
---
If this reply helps you, Karma would be appreciated.

kkossery
Communicator

Thank richgalloway. How do we also add

TaskCategory=Computer Account Management

to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma

MuS
SplunkTrust
SplunkTrust

or to answer the question how to get the nth line...try this:

sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))" 
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))" 
| table EveID,ComputerName

cheers, MuS

0 Karma

kkossery
Communicator

Thanks MuS. I'll use your output too on a different problem.

0 Karma

MuS
SplunkTrust
SplunkTrust

What is the expected result of line 4 and line 7? Should line 4 be ComputerName and line 7 RecordNumber ? I'm asking because EventCode is not line 1....

0 Karma

kkossery
Communicator

Sorry about that. Expected result should be,

Time    EveID                                  ComputerName         
_time   Event Code=4742              MyHost.com
_time   Event Code=4772              MyHost2.com

etc..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...