I want to extract a key-value pair from multiple events and create a single event with those extractions.
We have events coming in with a unique EventCode. I only want the Event code, everything else can be "thrown out". I want to create a single event with multiple event codes
Event 1:
10/12/2016 03:30:23 PM
LogName=Microsoft-Windows-WLAN-AutoConfig/Operational
SourceName=Microsoft-Windows-WLAN-AutoConfig
EventCode=12000
EventType=4
Type=Information
ComputerName=xxxxxxxxxxxxxxxxxxxxxx
User=NOT_TRANSLATED
Sid=S-x-x-xx
SidType=0
TaskCategory=OneXAuthentication
OpCode=Start
RecordNumber=xxxxx
Keywords=None
Message=Wireless xxx.xx authentication started.
Network Adapter: xxxxxxxxxxxxxxxxxxxxxxxxxx
Interface GUID: {xxxxxxxxxxxxxxxxxxxxxxxx}
Local MAC Address: xxxxxxxxxxxxxxxxxx
Network SSID: xxxxxxx
BSS Type: Infrastructure
Eap Information: Type 25, Vendor ID 0, Vendor Type 0, Author ID 0
Event 2:
10/12/2016 03:30:24 PM
LogName=Microsoft-Windows-WLAN-AutoConfig/Operational
SourceName=Microsoft-Windows-WLAN-AutoConfig
EventCode=19000
EventType=4
Type=Information
ComputerName=xxxxxxxxxxxxxxxxxxxxxx
User=NOT_TRANSLATED
Sid=S-x-x-xx
SidType=0
TaskCategory=OneXAuthentication
OpCode=Start
RecordNumber=xxxxx
Keywords=None
Message=Wireless xxx.xx authentication started.
Network Adapter: xxxxxxxxxxxxxxxxxxxxxxxxxx
Interface GUID: {xxxxxxxxxxxxxxxxxxxxxxxx}
Local MAC Address: xxxxxxxxxxxxxxxxxx
Network SSID: xxxxxxx
BSS Type: Infrastructure
Eap Information: Type 25, Vendor ID 0, Vendor Type 0, Author ID 0
After extracting the EventCode, I want to discard everything else and have a single event look like this
10/12/2016 03:30:23 PM -- EventCode=12000
10/12/2016 03:30:24 PM -- EventCode=19000
I was thinking about extracting the event code and populating it in a summary index so I can create a new event from the extracted values. Is there a better way of going about this? Any recommendations would be great!
↧