Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex on a WMI security and Splunk formating

jordans
Path Finder
‎05-10-2011 09:25 AM

Hi,

I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing.

In the Search app, the lines are displayed as:

  ...
  Type=Audit Success
  User=NULL    
  ...

But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jordans
Path Finder
‎05-10-2011 03:58 PM

I ended up figuring it out eventually, with some added features:

(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jordans
Path Finder
‎05-10-2011 03:58 PM

I ended up figuring it out eventually, with some added features:

(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2)
0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎05-10-2011 10:44 AM

By default, Splunk should extract those fields with it's automatic field extraction. For any key=value, Splunk is pretty friendly. To optimize a search that finds all of these:

  • Make sure "Type" and "User" get extracted. you may need to turn on field discovery and pick them from the field picker

Assuming each event contains both of these lines, here is the search:

Audit Success NULL | search User=NULL Type="Audit Success"

OR

User=NULL Type="Audit Success"

To filter these events from your results, you want to negate the terms:

NOT User=NULL NOT Type="Audit Success"
0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎05-10-2011 03:01 PM

But that's my whole point. I need to know what the regex is ...

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎05-10-2011 02:30 PM

Sounds like you want to do conditional routing to the nullqueue for specific events. The following thread explains how to route to nullqueue (won't get indexed). You want to modify the regex to recognize your specific events:

http://splunk-base.splunk.com/answers/11102/can-i-devnull-a-sourcetype

0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎05-10-2011 01:17 PM

I'm afraid I was not clear. I want to filter them out before indexing, so I need to configure transforms.conf. That's the regex I need to figure out.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...