Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I specify results from a log where fields repeat with different values?

BlackZao
Explorer
‎06-10-2013 07:49 AM

I am trying to create a visualization of a search that I am performing which brings up Security Audit log files that look like this:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=(domain.controller)
TaskCategory=User Account Management
OpCode=Info
RecordNumber=(look! A number!)
Keywords=Audit Success
Message=A user account was created.

Subject:
    Security ID:        (Domain)\(System Account)
    Account Name:       (System Account)
    Account Domain:     (Domain)
    Logon ID:       (A hex string appears!)

New Account:
    Security ID:        (Domain)\(New User ID)
    Account Name:       (New User ID)
    Account Domain:     (Domain)

What I am trying to do is specify that I want the Account Name fields listed in two separate columns of a table, one column for the Subject: Account Name: and one for New Account: Account Name: to show what accounts created what accounts over time. The problem is that the search just sees Account Name twice and aggregates it all into one field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New

View solution in original post

Reply
Solved! Jump to solution
Solution

JSapienza
Contributor
‎06-10-2013 08:46 AM

For a search time extraction you could do something like this:

source="WinEventLog:Security" "EventCode=4720" |rex field=_raw "Subject:\s*.*\s*Account Name:\s+(?<Account_Name_Subject>\S.*)" |rex field=_raw "New Account:\s*.*\s*Account Name:\s+(?<Account_Name_New>\S.*)"|table Account_Name_Subject, Account_Name_New
Reply
Solved! Jump to solution

BlackZao
Explorer
‎06-10-2013 08:50 AM

Absolutely perfect, thank you!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-10-2013 08:13 AM

You can use the mvindex() function in eval to get to the second one, which is what I suspect you want. 

sourcetype=WinEventLog:Security EventCode=4720 | eval New_Account_Name = mvindex(Account_Name,1) | the rest of your search

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

/K

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...