- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract field from Windows event log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The event I have is from a windows event log and AppLocker
See below:
LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run.
I would like to extract the new field labeled "Application" and have the search return the TASKHOSTW.EXE
How can I do this? (Regex is not my strong suit)
p.s. Happy to do the extraction at the time of the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search
| makeresults
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run."
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"
On your prod data the code would be
| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davidjohnbeckettorb
If it's a regex you would like to use, below should work for you.
|rex field=Message "(?i)^.+\\(?P<'Application'>[^\s]+)"
provided you are trying to capture the value between the first This-->\ and the next space that appears.
Please remove the '' in Application while attempting it. Not sure how I include text in angular
There are other ways to achieve this using an eval and it can be explored if you need to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @vik_splunk - worked a treat!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search
| makeresults
| eval data="LogName=Microsoft-Windows-AppLocker/EXE and DLL
SourceName=Microsoft-Windows-AppLocker
EventCode=8002
EventType=4
Type=Information
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=24254
Keywords=None
Message=%SYSTEM32%\TASKHOSTW.EXE was allowed to run."
| rex field=data "Message=.*\\\(?<Application>[^\s]+)\s\w+"
On your prod data the code would be
| rex field=_raw "Message=.*\\\(?<Application>[^\s]+)\s\w+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @ mayurr98. Add this to my search and pulled out the application nicely. Much appreciated
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
