I am trying to create a visualization of a search that I am performing which brings up Security Audit log files that look like this:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=(domain.controller)
TaskCategory=User Account Management
OpCode=Info
RecordNumber=(look! A number!)
Keywords=Audit Success
Message=A user account was created.
Subject:
Security ID: (Domain)\(System Account)
Account Name: (System Account)
Account Domain: (Domain)
Logon ID: (A hex string appears!)
New Account:
Security ID: (Domain)\(New User ID)
Account Name: (New User ID)
Account Domain: (Domain)
What I am trying to do is specify that I want the Account Name fields listed in two separate columns of a table, one column for the Subject: Account Name: and one for New Account: Account Name: to show what accounts created what accounts over time. The problem is that the search just sees Account Name twice and aggregates it all into one field.
For a search time extraction you could do something like this:
source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New
For a search time extraction you could do something like this:
source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New
Absolutely perfect, thank you!
You can use the mvindex()
function in eval
to get to the second one, which is what I suspect you want.
sourcetype=WinEventLog:Security EventCode=4720 | eval New_Account_Name = mvindex(Account_Name,1) | the rest of your search
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions
/K