https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501951#M139723 <P>Hi everyone, </P> <P>I was attempting to utilize this dashboard, but am having difficulty populating the user accounts. <BR /> <A href="https://gosplunk.com/windows-dashboard-showing-who-was-logged-on-to/">https://gosplunk.com/windows-dashboard-showing-who-was-logged-on-to/</A></P> <P>This is what the dashboard currently looks like, as you can see, the user account section is not populated. My goal is to have either the TargetUserName or TargetUserSID populated in the account section with a regex that will catch all user accounts. Any help will be greatly appreciated.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8931iF4575729216F29C2/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This is the search being performed</P> <PRE><CODE>index="wineventlog" source="XmlWinEventLog:Security" EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$HostName$ | rex "New Logon:\s+Security ID:\s+(?&lt;account&gt;.*)" | eval Type=case(Logon_Type=10,"Remote Logon", Logon_Type=2,"Local Logon", Logon_Type=7,"Screen Unlock") | table _time host Type account | sort _time desc </CODE></PRE> <P>Here is an example of the Windows XML event</P> <PRE><CODE>&lt;Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/&gt;&lt;EventID&gt;4624&lt;/EventID&gt;&lt;Version&gt;1&lt;/Version&gt;&lt;Level&gt;0&lt;/Level&gt;&lt;Task&gt;12544&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;0x8020000000000000&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2020-05-21T14:23:42.544642200Z'/&gt;&lt;EventRecordID&gt;20131980&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='560' ThreadID='872'/&gt;&lt;Channel&gt;Security&lt;/Channel&gt;&lt;Computer&gt;Computer.AD.computer.com&lt;/Computer&gt;&lt;Security/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='SubjectUserSid'&gt;NT AUTHORITY\SYSTEM&lt;/Data&gt;&lt;Data Name='SubjectUserName'&gt;Computer$&lt;/Data&gt;&lt;Data Name='SubjectDomainName'&gt;AD&lt;/Data&gt;&lt;Data Name='SubjectLogonId'&gt;0x3e7&lt;/Data&gt;&lt;Data Name='TargetUserSid'&gt;AD\admin-v&lt;/Data&gt;&lt;Data Name='TargetUserName'&gt;admin-v&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;AD&lt;/Data&gt;&lt;Data Name='TargetLogonId'&gt;0x1f02e303&lt;/Data&gt;&lt;Data Name='LogonType'&gt;10&lt;/Data&gt;&lt;Data Name='LogonProcessName'&gt;User32 &lt;/Data&gt;&lt;Data Name='AuthenticationPackageName'&gt;Negotiate&lt;/Data&gt;&lt;Data Name='WorkstationName'&gt;Computer&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{00000000-0000-0000-0000-000000000000}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;&lt;Data Name='LmPackageName'&gt;-&lt;/Data&gt;&lt;Data Name='KeyLength'&gt;0&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;0x20b8&lt;/Data&gt;&lt;Data Name='ProcessName'&gt;C:\Windows\System32\winlogon.exe&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;10.0.0.0&lt;/Data&gt;&lt;Data Name='IpPort'&gt;0&lt;/Data&gt;&lt;Data Name='ImpersonationLevel'&gt;%%1833&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt; </CODE></PRE> Thu, 21 May 2020 15:02:57 GMT mysicksi 2020-05-21T15:02:57Z https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501951#M139723 <P>Hi everyone, </P> <P>I was attempting to utilize this dashboard, but am having difficulty populating the user accounts. <BR /> <A href="https://gosplunk.com/windows-dashboard-showing-who-was-logged-on-to/">https://gosplunk.com/windows-dashboard-showing-who-was-logged-on-to/</A></P> <P>This is what the dashboard currently looks like, as you can see, the user account section is not populated. My goal is to have either the TargetUserName or TargetUserSID populated in the account section with a regex that will catch all user accounts. Any help will be greatly appreciated.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8931iF4575729216F29C2/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This is the search being performed</P> <PRE><CODE>index="wineventlog" source="XmlWinEventLog:Security" EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$HostName$ | rex "New Logon:\s+Security ID:\s+(?&lt;account&gt;.*)" | eval Type=case(Logon_Type=10,"Remote Logon", Logon_Type=2,"Local Logon", Logon_Type=7,"Screen Unlock") | table _time host Type account | sort _time desc </CODE></PRE> <P>Here is an example of the Windows XML event</P> <PRE><CODE>&lt;Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/&gt;&lt;EventID&gt;4624&lt;/EventID&gt;&lt;Version&gt;1&lt;/Version&gt;&lt;Level&gt;0&lt;/Level&gt;&lt;Task&gt;12544&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;0x8020000000000000&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2020-05-21T14:23:42.544642200Z'/&gt;&lt;EventRecordID&gt;20131980&lt;/EventRecordID&gt;&lt;Correlation/&gt;&lt;Execution ProcessID='560' ThreadID='872'/&gt;&lt;Channel&gt;Security&lt;/Channel&gt;&lt;Computer&gt;Computer.AD.computer.com&lt;/Computer&gt;&lt;Security/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='SubjectUserSid'&gt;NT AUTHORITY\SYSTEM&lt;/Data&gt;&lt;Data Name='SubjectUserName'&gt;Computer$&lt;/Data&gt;&lt;Data Name='SubjectDomainName'&gt;AD&lt;/Data&gt;&lt;Data Name='SubjectLogonId'&gt;0x3e7&lt;/Data&gt;&lt;Data Name='TargetUserSid'&gt;AD\admin-v&lt;/Data&gt;&lt;Data Name='TargetUserName'&gt;admin-v&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;AD&lt;/Data&gt;&lt;Data Name='TargetLogonId'&gt;0x1f02e303&lt;/Data&gt;&lt;Data Name='LogonType'&gt;10&lt;/Data&gt;&lt;Data Name='LogonProcessName'&gt;User32 &lt;/Data&gt;&lt;Data Name='AuthenticationPackageName'&gt;Negotiate&lt;/Data&gt;&lt;Data Name='WorkstationName'&gt;Computer&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{00000000-0000-0000-0000-000000000000}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;&lt;Data Name='LmPackageName'&gt;-&lt;/Data&gt;&lt;Data Name='KeyLength'&gt;0&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;0x20b8&lt;/Data&gt;&lt;Data Name='ProcessName'&gt;C:\Windows\System32\winlogon.exe&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;10.0.0.0&lt;/Data&gt;&lt;Data Name='IpPort'&gt;0&lt;/Data&gt;&lt;Data Name='ImpersonationLevel'&gt;%%1833&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt; </CODE></PRE> Thu, 21 May 2020 15:02:57 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501951#M139723 mysicksi 2020-05-21T15:02:57Z https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501952#M139724 <P>The problem (and there may be others) is your data does not match the regular expression. There is no "New Logon". Try this, instead.</P> <PRE><CODE>| rex "TargetUserName'&gt;(?&lt;account&gt;[^\&lt;]+)" </CODE></PRE> Thu, 21 May 2020 15:45:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501952#M139724 richgalloway 2020-05-21T15:45:25Z https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501953#M139725 <P>Hi Rich,</P> <P>Thank you for your help, that did it!</P> Fri, 22 May 2020 18:54:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-Windows-XML-log-events/m-p/501953#M139725 mysicksi 2020-05-22T18:54:54Z