Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I specify results from a log where fields repeat with different values?

BlackZao
Explorer
‎06-10-2013 07:49 AM

I am trying to create a visualization of a search that I am performing which brings up Security Audit log files that look like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=(domain.controller)
TaskCategory=User Account Management
OpCode=Info
RecordNumber=(look! A number!)
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        (Domain)\(System Account)
    Account Name:       (System Account)
    Account Domain:     (Domain)
    Logon ID:       (A hex string appears!)

New Account:
    Security ID:        (Domain)\(New User ID)
    Account Name:       (New User ID)
    Account Domain:     (Domain)

What I am trying to do is specify that I want the Account Name fields listed in two separate columns of a table, one column for the Subject: Account Name: and one for New Account: Account Name: to show what accounts created what accounts over time. The problem is that the search just sees Account Name twice and aggregates it all into one field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New

View solution in original post

Reply
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New
Reply
Solved! Jump to solution

BlackZao
Explorer
‎06-10-2013 08:50 AM

Absolutely perfect, thank you!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-10-2013 08:13 AM

You can use the mvindex() function in eval to get to the second one, which is what I suspect you want. 

sourcetype=WinEventLog:Security EventCode=4720 | eval New_Account_Name = mvindex(Account_Name,1) | the rest of your search

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

/K

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...