topic Re: Rex Field Question in Splunk Search

Rex Field Question

johnblakley — Thu, 24 May 2018 14:15:22 GMT

I have a message field in an event id that isn't extracting properly. The part I've having an issue with is when there's a special character in the middle (of unknown length string) of the string.

For example, I can extract "test\user" with no issues, but when I have something like below:

test\user.name
test\user-name
test\username-was-here
test\username-was-not.here$

I'm unable to extract them. I've tried:

rex field=Message "(?<SubjectID>[1-9A-Za-z$].+[-$._].+[1-9A-Za-z$]

I've tried the $ with the \$ as well, but this doesn't provide any results. I've also tried taking the 'test\user-name' field and plug it in directly to see if it was show me a result, but that failed to work as well. Is there a way to do this where I could take into account all scenarios above?

Here's the log entry:

Below is a message that doesn't work due to spaces in the name/ID:

Thanks!

Re: Rex Field Question

493669 — Thu, 24 May 2018 14:35:26 GMT

can you provide whole raw data (with important data to be masked) to understand starting and ending to extract id

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 14:42:53 GMT

Added to original post...thanks!

Re: Rex Field Question

493669 — Thu, 24 May 2018 14:46:57 GMT

so here are you trying to extract security id?

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 14:50:10 GMT

Yes for both Subject and Target accounts. My regex works on test sites to capture all special characters, but Splunk doesn't work. It's simple enough to do "\w+[-].+[-].+" and it will find anything with two dashes. Splunk won't complain, but it will return a blank result with rex for the extracted field in

Re: Rex Field Question

493669 — Thu, 24 May 2018 14:58:25 GMT

try this for Subject accounts

...|rex field=raw "Subject:\nSecurity ID:(?<SubjectSecurityID>\S+)"

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 15:14:21 GMT

Okay, thank you! Field=raw doesn't work for some reason, but this seems to:

... | rex field=Message "Subject:\s+Security\s+ID:\s+(?<SubjectSecurityID>\S+)" | table SubjectSecurityID

Re: Rex Field Question

493669 — Thu, 24 May 2018 15:18:18 GMT

now try this for both:

...| rex field=Message "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>\S+).*Target Account:\nSecurity ID:(?<TargetSecurityID>\S+)"

Re: Rex Field Question

niketn — Thu, 24 May 2018 15:34:35 GMT

@johnblankley, which field are you trying to extract?
It is Security ID or Account Name or Logon ID? Also is it from Subject or from Target Account?

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 15:37:30 GMT

Security ID from both Subject and Target sections.

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 15:44:05 GMT

This is very close! I had to modify it a little, but I noticed a new issue. How can I take into account the SubjectSecurityID to have a space? What I'm seeing is "NT AUTHORITY\SYSTEM" only shows "NT". I've played around with adding something like "(?\S+\s+\w+), but that's not working.

Re: Rex Field Question

493669 — Thu, 24 May 2018 15:56:26 GMT

Try this:

...| rex field=Message  "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>.*)Account Name.*Target Account:\nSecurity ID:(?<TargetSecurityID>.*)Account Name"

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 16:03:32 GMT

Unfortunately, that didn't work. It looks like the message field is one line of characters, so the Subject now becomes the full message when using .*

The result is this:
NT AUTHORITY\SYSTEM Account Name: xxxx$ Account Domain: xxxx Logon ID: 0x3e7

It should just be:
NT AUTHORITY\SYSTEM

Re: Rex Field Question

niketn — Thu, 24 May 2018 16:06:57 GMT

Do you want to extract them as multi-value in the same field or separate fields?

Re: Rex Field Question

niketn — Thu, 24 May 2018 16:14:54 GMT

[Updated Answer]

Since Security ID: is followed by Account Name:, following regex extracts all characters between the two using .+

<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:"
|  rex field=Message "Security ID:\s+(?<SecurityID>.+)\s+Account Name:" max_match=2
|  eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)

Please try out and confirm!

@johnblakley, please try the following:

<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:"
|  rex field=Message "Security ID:\s+(?<SecurityID>[^\s]+)\s" max_match=2
|  eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)

Re: Rex Field Question

493669 — Thu, 24 May 2018 16:20:46 GMT

can you provide whole message where it won't work...

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 16:27:54 GMT

Added to original post. It's breaking on security IDs with spaces. This is just one example, so the \S+ is stopping at the space.

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 16:28:21 GMT

This works, but it's also breaking at the space in the security ID.

Re: Rex Field Question

johnblakley — Thu, 24 May 2018 16:35:24 GMT

This seems to have worked...do you see any issues with it?

(?\S+.\w+.\w+)

Re: Rex Field Question

493669 — Thu, 24 May 2018 16:44:21 GMT

please use 101010 button for query so that no special characters get removed.
it will work only for particular pattern.
have you tried below...it seems to be working..

...| rex field=Message  "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>.*)Account Name.*Target Account:\nSecurity ID:(?<TargetSecurityID>.*)Account Name"