https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384420#M112272 <P>Hi there, </P> <P>I'm trying to extract some data from Windows security logs and filter the counted results. </P> <P>This search doesn't work though — any help?</P> <PRE><CODE>index=something (EventCode="4732" OR EventCode="4728" OR EventCode="4756") | rex "(?i)Subject:W\r\n\tSecurity ID:\t\t(?P&lt;Subject&gt;.+)" | rex "(?i)Member:\W\r\n\tSecurity ID:\t\t(?P&lt;Member&gt;.+)" | rex "(?i)Group:\W\r\n\tSecurity ID:\t\t(?P&lt;Group&gt;.+)" | search group_obj_id="*admin*" OR group_obj_id="*adm*" OR group_obj_id="*admn*" | convert ctime(_time) AS time | eval Group_and_time=Group+"--"+time | stats values(Group_and_time) as "Group added and Time added" dc(Group) as group_count by Member | where group_count&gt;1 | rename group_count as "Group Count" </CODE></PRE> Fri, 15 Feb 2019 11:52:00 GMT swimena 2019-02-15T11:52:00Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384420#M112272 <P>Hi there, </P> <P>I'm trying to extract some data from Windows security logs and filter the counted results. </P> <P>This search doesn't work though — any help?</P> <PRE><CODE>index=something (EventCode="4732" OR EventCode="4728" OR EventCode="4756") | rex "(?i)Subject:W\r\n\tSecurity ID:\t\t(?P&lt;Subject&gt;.+)" | rex "(?i)Member:\W\r\n\tSecurity ID:\t\t(?P&lt;Member&gt;.+)" | rex "(?i)Group:\W\r\n\tSecurity ID:\t\t(?P&lt;Group&gt;.+)" | search group_obj_id="*admin*" OR group_obj_id="*adm*" OR group_obj_id="*admn*" | convert ctime(_time) AS time | eval Group_and_time=Group+"--"+time | stats values(Group_and_time) as "Group added and Time added" dc(Group) as group_count by Member | where group_count&gt;1 | rename group_count as "Group Count" </CODE></PRE> Fri, 15 Feb 2019 11:52:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384420#M112272 swimena 2019-02-15T11:52:00Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384421#M112273 <P>First of all, your RegEx does not seem to work ... you have to make it multiline-matching, the case-instensitivity is not necessary. It can be eased down a bit as well. Next, line #5 is sort of redundant, as <CODE>group_obj_id="*adm*"</CODE> covers the other two selections as well. The rest seems to work fine - at leat in my test environment.</P> <P>This does it for me:</P> <PRE><CODE>index=something (EventCode="4732" OR EventCode="4728" OR EventCode="4756") | rex "(?im)Subject:[^:]+:\t*(?P&lt;Subject&gt;.+)\n" | rex "(?im)Member:[^:]+:\t*(?P&lt;Member&gt;.+)\n" | rex "(?im)Group:[^:]+:\t*(?P&lt;Group&gt;.+)\n" | search group_obj_id="*adm*" | convert ctime(_time) AS time | eval Group_and_time=Group+"--"+time | stats values(Group_and_time) as "Group added and Time added" dc(Group) as group_count by Member | where group_count&gt;1 | rename group_count as "Group Count" </CODE></PRE> Fri, 15 Feb 2019 12:47:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384421#M112273 DMohn 2019-02-15T12:47:08Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384422#M112274 <P>Thanks again @DMohn <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I'm getting results in the Events tab, however, I can't display any statistics out of it. <BR /> I'll try to cut some of the code and see whether anything changes...</P> Fri, 15 Feb 2019 13:17:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-rex-command-to-filter-Windows-security-events/m-p/384422#M112274 swimena 2019-02-15T13:17:25Z