For this use case see the message below we like to extract is .
I can extract this 1st part ok but can not extract the 2nd part
Needed information from Event ID message:
Ist part
--Header--- --Data Results --
Account Name: test01
New Process Name: C:\Program Files\WinZip\Utils
ComputerName= server001
2nd Part
This is the only information we need from the multi line error message
Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
===================================
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4888
EventType=0
Type=Information
ComputerName= server001
TaskCategory=Process Creation
OpCode=Info
RecordNumber=934605653
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: test01
Account Domain: Test
Logon ID: 12345test
Target Subject:
Security ID: NULL SID
Account Name: Test
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2030
New Process Name: C:\Program Files\etc\zip.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0ss0x
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3
Hello,
Thanks for you help
I tried the regex code but not returning the desire result if will be nice if we can do via regex
This give back all the information
index="wineventlog" EventCode=2889
when I add the regex to this still the same info not sure if this makes the difference all the information is
under "Message" field we just need to pull from Message and one "ComputerName= server001" field from top
1st line is header and below will be data
Client IP address: Identity the client attempted to authenticate as: ComputerName
10.10.00.10 Test\SVC_testLDAP server001
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3
else i will try Splunk Filed Extraction
thanks again for help
Hi,
In your case, you have write field extraction regex for the client_ip and user_id fields.
Check the attached screenshot, if you want field extraction like that append your query with the below code,
| rex field=_raw "Client IP address:\s(?<client_ip>[\d\.\:]+)[\s\w]+\:\s(?<user_id>[^\s]+)"
If these fields are used very often, instead of extracting them at rum time with query, you can use Splunk Filed Extraction utility to automatic field extraction.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/ExtractfieldsinteractivelywithIFX
accept & up vote the answer if it helps.