topic Re: How to Regex the second occurrence of Account Name in AD logs in Splunk Search

How to Regex the second occurrence of Account Name in AD logs

Log_wrangler — Wed, 15 May 2019 21:47:22 GMT

I need to filter AD logs with Event Code 4725 "A user account was disabled".
I need to regex and filter the second occurrence of "Account Name:" so that I can further filter by account names.
The specific issue is that in each event Message there is a "Service Account Name" associated with the "Target Account: Account Name:" And I only want the Account Name under the Target Account.

Although the formatting is not indented correctly, this is a typical 4725 event.

05/02/2019 10:32:13 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4725
EventType=0
... 1 line omitted ...
ComputerName=123.ds.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=63515116
Keywords=Audit Success
Message=A user account was disabled.
Subject:
Security ID: S-132121123131213
Account Name: Blah-service
Account Domain: DS
Logon ID: 0x2ea0e04f8
Target Account:
Security ID: S-456454313131321
Account Name: BlahBlah
Account Domain: DS

In Regex 101 I can capture the value I need but in splunk I cannot get the rex to work.

Currently I have

index=main  sourcetype=AD_logs EventCode="4725" | rex field = Message "Account Name\:\s+(?<disabled>.+)" | table disabled

but this only gives me the first Account Name: Blah-service when I need the second Account Name: BlahBlah

I cannot find a good example of how to match on the second occurrence of 'Account Name'.

Any help is greatly appreciated.

Re: How to Regex the second occurrence of Account Name in AD logs

vnravikumar — Wed, 15 May 2019 22:08:19 GMT

Give a try

your query......| rex field=message max_match=0 "Account Name\:\s+(?P<disabled>.+)" 
| eval disabled= mvindex(disabled,1)

Re: How to Regex the second occurrence of Account Name in AD logs

yeahnah — Wed, 15 May 2019 22:17:05 GMT

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

Re: How to Regex the second occurrence of Account Name in AD logs

Log_wrangler — Thu, 16 May 2019 14:21:30 GMT

Thank you!