Knowledge Management

How to extract info from the middle of the multi line error message

SaqibRaheem
New Member

For this use case see the message below we like to extract is .

I can extract this 1st part ok but can not extract the 2nd part

Needed information from Event ID message:

Ist part
--Header--- --Data Results --
Account Name: test01
New Process Name: C:\Program Files\WinZip\Utils
ComputerName= server001

2nd Part
This is the only information we need from the multi line error message

Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP

===================================

See Event ID error below as an example:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4888
EventType=0
Type=Information
ComputerName= server001
TaskCategory=Process Creation
OpCode=Info
RecordNumber=934605653
Keywords=Audit Success
Message=A new process has been created.

Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: test01
Account Domain: Test
Logon ID: 12345test

Target Subject:
Security ID: NULL SID
Account Name: Test
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0x2030
New Process Name: C:\Program Files\etc\zip.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0ss0x

Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3

Tags (1)
0 Karma

SaqibRaheem
New Member

Hello,

Thanks for you help
I tried the regex code but not returning the desire result if will be nice if we can do via regex

This give back all the information
index="wineventlog" EventCode=2889

when I add the regex to this still the same info not sure if this makes the difference all the information is

under "Message" field we just need to pull from Message and one "ComputerName= server001" field from top

1st line is header and below will be data
Client IP address: Identity the client attempted to authenticate as: ComputerName

10.10.00.10 Test\SVC_testLDAP server001

Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
10.10.00.10:34567
Identity the client attempted to authenticate as:
Test\SVC_testLDAP
Binding Type: 3

else i will try Splunk Filed Extraction

thanks again for help

0 Karma

gaurav_maniar
Builder

Hi,

In your case, you have write field extraction regex for the client_ip and user_id fields.
Check the attached screenshot, if you want field extraction like that append your query with the below code,

| rex field=_raw "Client IP address:\s(?<client_ip>[\d\.\:]+)[\s\w]+\:\s(?<user_id>[^\s]+)" 

If these fields are used very often, instead of extracting them at rum time with query, you can use Splunk Filed Extraction utility to automatic field extraction.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/ExtractfieldsinteractivelywithIFX

accept & up vote the answer if it helps.
alt text

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...