Hey, I'm very experienced using Splunk as an analyst, but not at all experienced on the admin side of things, but am trying to learn. I was recently given a JSON file full of Windows Logs to analyze. Not sure why they gave me the data that way, but they did, and that's how I have to use it.
When I try and upload the file to Splunk, I select "Add Data", I upload the file, and it does not recognize it as JSON. If I select json_no_timestamp, it seems to recognize it, but doesn't break it up into events. Every event starts the same way, and I copied the first 12 lines of JSON below (when auto-arranged). Using Regex101, I found a Regex that matches the beginning of the event, but adding that into Event Breaks Pattern does not break the event.
I've tried the following Event Breaks Patterns because sometimes when you copy the lines, there is whitespace, and sometimes there is no whitespace (Splunk, Atom, and Regex101 show line breaks and whitespace, but when I copied it into this comment... no line breaks! Unsure if that's b/c of presentation or just copy/paste): \{\s\"sort\"\: {\n\s+\"sort\" \{\r\n\s+\"sort\"\: { "sort":
{
"data": [
{
"sort": [
0
],
"_score": null,
"_type": "winevtx",
"_index": "winevtx",
"_id": "==",
"_source": {
"process_id": 488,
"message": "A Kerberos service ticket was requested.",
"provider_guid": "{}",
"log_name": "Security",
"source_name": "Microsoft-Windows-Security-Auditing",
"event_data": {
"TicketOptions": "0x60810010",
"TargetUserName": "JOHN$@LOCAL.LOCAL",
"ServiceName": "krbtgt",
"IpAddress": "::ffff:10.10.0.1",
"TargetDomainName": "LOCAL.LOCAL",
"IpPort": "53782",
"TicketEncryptionType": "0x12",
"LogonGuid": "{}",
"TransmittedServices": "-",
"Status": "0x0",
"ServiceSid": "S-1-5-21-3052363079-1128767895-2942130287-502"
},
"beat": {
"name": "LOCAL",
"version": "5.2.2",
"hostname": "LOCAL"
},
"thread_id": 1096,
"@version": "1",
"@metadata": {
"index_local_timestamp": "2017-04-20T06:27:21.283576",
"hostname": "LOCAL",
"index_utc_timestamp": "2017-04-20T06:27:21.283576",
"timezone": "UTC+0000"
},
"opcode": "Info",
"@timestamp": "2017-04-20T06:25:33.801Z",
"tags": [
"beats_input_codec_plain_applied"
],
"type": "wineventlog",
"computer_name": "LOCAL.LOCAL.local",
"event_id": 4769,
"record_number": "127898",
"level": "Information",
"keywords": [
"Audit Success"
],
"host": "LOCAL",
"task": "Kerberos Service Ticket Operations"
}
}
]
}
Every event starts with { "sort": [ 0 ], so I know that's where I want to break it up. I'm sure I'm missing something simple. What is it?
Appreciate any assistance.
... View more