topic Re: How to create a regex to return events with specific usernames in a field? in Splunk Search

How to create a regex to return events with specific usernames in a field?

adamfiore — Tue, 26 Jun 2018 19:08:06 GMT

I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help.

WORKING REGEX

(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)

SAMPLE EVENT

6/25/2018 01:07:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4723
EventType=0
Type=Information
ComputerName=SERVER.TRX.COM
TaskCategory=User Account Management
OpCode=Info
RecordNumber=329720657
Keywords=Audit Success
Message=An attempt was made to change an account's password.
Subject:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
    Logon ID:       0x6368FECE
Target Account:
    Security ID:        TRX\jsmith
    Account Name:   jsmith
    Account TRX:        TRX
Additional Information:
    Privileges

SEARCH THAT WORKS (But does not use the regular expression)

EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith")

REGEX SEARCHES TRIED

EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith")

Re: How to create a regex to return events with specific usernames in a field?

jkat54 — Tue, 26 Jun 2018 19:47:17 GMT

Try this:

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex

... root search ... | regex AccountName=“Regex”

Or even this

... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith

Re: How to create a regex to return events with specific usernames in a field?

aholzer — Tue, 26 Jun 2018 20:42:47 GMT

These look like winEventLog:Security. You should look into using the Splunk TA for windows and the out of the box sourcetypes that come with it to handle this type of data. Then your extractions will work automatically rather than having to write your own.

In terms of running an inline regex what @jkat54 said is correct, just run your base search followed by ... | regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+jsmith"

Re: How to create a regex to return events with specific usernames in a field?

adamfiore — Wed, 27 Jun 2018 17:19:59 GMT

Thanks. That worked and I'll also look into TA for Windows. Appreciate the help.

Re: How to create a regex to return events with specific usernames in a field?

the_wolverine — Wed, 27 Jun 2018 17:34:45 GMT

You don't need to use the regex command if the field extract already exists:

root search jsmith OR AccountName=jsmith