Splunk Search

Trouble Matching a regex for Transforms.conf

kholleran
Communicator

Hi,

I am auditing the Splunk Data directories for any kind of access. To do this, I put EVERYONE in the audit group. I then want to filter out any that come in from the system account:

Fo instance, an event like this is generated

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=COMPUTERNAME.DOMAIN.com
TaskCategory=File System
OpCode=Info
RecordNumber=960826400
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       COMPUTERNAME$
    Account Domain:     DMN
    Logon ID:       0x3e7

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\Splunk\Python-2.7\Lib\encodings
    Handle ID:      0x8c

Process Information:
    Process ID:     0xcf4
    Process Name:       C:\Program Files\Splunk\bin\python.exe

What I want match out to pass to the nullQueue in transforms.conf is across multiple lines:

TaskCategory=File System & Account Name: COMPUTERNAME$

I cannot get this to match no matter the regex I throw in there (I am guessing because it is going across multiple lines).

Thanks for any help.

Kevin

0 Karma

MarioM
Motivator

have you tried with (?msi) before your regex? if still not working what is your regex?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...