How to I extract fields that have the same name:
**Subject:
Security ID: S-1-5-21-3421131818-2740222167-1022849547-30684
Account Name: xxxxxxxx
Account Domain: xxxxxx
Logon ID: 0x2ab3cdc2e
Member:
Security ID: S-1-5-21-3421131818-2740222167-1022849547-17789
Account Name: CN=xxxxxx,OU=yyyyyy,OU=zzzz,DC=xxx,DC=xxx,DC=com
Group:
Security ID: S-1-5-21-3421131818-2740222167-1022849547-512
Group Name: Domain Admins
Group Domain: ESCG**
How do I extract out the:
Subject: Account name
Member: Account Name
Group: Group Name
You need a multi line EXTRACT looking for the group name followed by any number of indented lines and the words "Account Name:" A props.conf with the below should work. I added in New Logon in case you also need EventCode=4624
[WinEventLog:Security]
EXTRACT-test=(?m)^Subject:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<SubjectAccountName>[^\r\n]+)
EXTRACT-test=(?m)^Member:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<MemberAccountName>[^\r\n]+)
EXTRACT-test=(?m)^New Logon:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<NewAccountName>[^\r\n]+)
EXTRACT-gn=(?m)^\s+Group Name:\s+(?<GroupName>[\r\n]+)
In Explanation
(?m)
tells splunk to use multi line matching and
(?:\t[^\r\n]+[\r\n]+)+
matches any number of tab indented lines.
This looks like a single event from Win2008 WinEvtLog:Security, albeit a bit chopped up.
/k
Which log is this data coming from?