0

I am searching for specific event codes in splunk, such that the first part of the message field starts with "A member was added to a security-enabled global group". After that, it has a whole lot more information which, for my purposes, I do not need to see. I tried the following searches however I am not getting the results I want.

This search made no changes to the message: 

index="win_evt" EventCode=4728  | rex field=Message "(?<=A:)(?<Notes>.*)(?=.)" | table  _time, Account_Name, Group_Name, Message, EventCode, Message

This search completely removed the message:

index="win_evt" EventCode=4728  | eval Message = trim(replace(Message,".*","")) | table  _time, Account_Name, Group_Name, Message, EventCode, Message

This does nothing as well:

index="win_evt" EventCode=4728  | rex field=Message mode=sed "s/\..*$//" | table  _time, Account_Name, Group_Name, Message, EventCode, Message

All I want is for the | table Message to show is that first line.

SherylHohman
  • 16,580
  • 17
  • 88
  • 94
ThisGuyUsesPowershell
  • 51
  • 2
  • 9

1 Answers1

0

You should probably post a sample event to help explain what you are doing.

Assuming that this rex is correct, | rex field=Message "(?<=A:)(?<Notes>.*)(?=.)", this is placing the extracted data into a new field, called Notes. In your table command, you have the fields _time, Account_Name, Group_Name, Message, EventCode, Message. I think you should replace Message with Notes, so your search should be

index="win_evt" EventCode=4728 | rex field=Message "(?<=A:)(?<Notes>.*)(?=.)" | table _time, Account_Name, Group_Name, Message, EventCode, Notes

Or just the following should suffice

index="win_evt" EventCode=4728 | rex field=Message "^(?<firstline>.*)" | table _time, Account_Name, Group_Name, firstline, EventCode

Simon Duff
  • 2,631
  • 2
  • 7
  • 15