https://community.splunk.com/t5/Getting-Data-In/Blacklist-2-fields-on-same-event/m-p/581569#M102519 <P>Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines.<BR /><BR />I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Sample Event</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: COMPUTER$ Account Domain: XXXX.NET Logon ID: 0x6C6C65F09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$</P><P>&nbsp;</P><P>I have tried stuff that works on regex101, etc.&nbsp; And it will work there, but Splunk doesn't seem to recognize it.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Any help is appreciated</P><P>&nbsp;</P> Tue, 18 Jan 2022 23:14:20 GMT icewolf69 2022-01-18T23:14:20Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-2-fields-on-same-event/m-p/581569#M102519 <P>Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines.<BR /><BR />I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Sample Event</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: COMPUTER$ Account Domain: XXXX.NET Logon ID: 0x6C6C65F09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$</P><P>&nbsp;</P><P>I have tried stuff that works on regex101, etc.&nbsp; And it will work there, but Splunk doesn't seem to recognize it.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Any help is appreciated</P><P>&nbsp;</P> Tue, 18 Jan 2022 23:14:20 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-2-fields-on-same-event/m-p/581569#M102519 icewolf69 2022-01-18T23:14:20Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-2-fields-on-same-event/m-p/581585#M102520 <P>Took me a while but figured it out, incase someone shows up here in the future!<BR /><BR />source="WinEventLog:Security" EventCode=4624 | regex Message="(?ms)Logon\sType:[\s]*(3).*Account\sName:[\s]*(.*\$)"</P> Wed, 19 Jan 2022 05:16:39 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-2-fields-on-same-event/m-p/581585#M102520 icewolf69 2022-01-19T05:16:39Z