2013-10-25 10:49:33,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-25 10:49:19,End: 2013-10-25 10:49:19,Rule: This one is a splat | Watch these Executables,1568,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:
My version 5 enviroment grabs it? Version 6 the fields are way less. Still a N00b on both releases, but trying to transform out data to the nullqueue is hard enough without the added complexity of not having a field... HELP!!!!
remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.
at search time try :
* | rex "User: (?<User>\w+)" | table User _raw
at index time for the props for nullQueue try a simple
REGEX = User: SYSTEM
or a conditional
REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)
if your question was answered, do not forget to mark the "accept check box". It will help the other users.
Thanks yannK it made sense to me and fixed what I was looking for and trying to do! thanks
remark : you cannot use fields with nullQueue filtering, because the fields are extracted as search time, not at index time, You need a proper regex to define a filter for nullQueue.
at search time try :
* | rex "User: (?<User>\w+)" | table User _raw
at index time for the props for nullQueue try a simple
REGEX = User: SYSTEM
or a conditional
REGEX = User: (SYSTEM|MYOTHERUSER|MYOTHERUSERAGAIN)