topic how to get domain name, domain user name from active directory logs in Splunk Search https://community.splunk.com/t5/Splunk-Search/how-to-get-domain-name-domain-user-name-from-active-directory/m-p/244507#M176182 <P>how to get domain name, domain user name from active directory logs </P> <P>11/22/2016 04:15:20 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4634<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=RIYSVSYM-006.KAMC-RD.ngha.med<BR /> TaskCategory=Logoff<BR /> OpCode=Info<BR /> RecordNumber=23190529<BR /> Keywords=Audit Success<BR /> Message=An account was logged off.</P> <P>Subject:<BR /> Security ID: KAMC-RD\Binshbreenab<BR /> Account Name: Binshbreenab<BR /> Account Domain: KAMC-RD<BR /> Logon ID: 0x322998008</P> <P>Logon Type: 3</P> <P>Regards<BR /> Pradeep</P> Tue, 22 Nov 2016 13:16:29 GMT seetharamanPr 2016-11-22T13:16:29Z how to get domain name, domain user name from active directory logs https://community.splunk.com/t5/Splunk-Search/how-to-get-domain-name-domain-user-name-from-active-directory/m-p/244507#M176182 <P>how to get domain name, domain user name from active directory logs </P> <P>11/22/2016 04:15:20 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4634<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=RIYSVSYM-006.KAMC-RD.ngha.med<BR /> TaskCategory=Logoff<BR /> OpCode=Info<BR /> RecordNumber=23190529<BR /> Keywords=Audit Success<BR /> Message=An account was logged off.</P> <P>Subject:<BR /> Security ID: KAMC-RD\Binshbreenab<BR /> Account Name: Binshbreenab<BR /> Account Domain: KAMC-RD<BR /> Logon ID: 0x322998008</P> <P>Logon Type: 3</P> <P>Regards<BR /> Pradeep</P> Tue, 22 Nov 2016 13:16:29 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-domain-name-domain-user-name-from-active-directory/m-p/244507#M176182 seetharamanPr 2016-11-22T13:16:29Z Re: how to get domain name, domain user name from active directory logs https://community.splunk.com/t5/Splunk-Search/how-to-get-domain-name-domain-user-name-from-active-directory/m-p/244508#M176183 <P>Hi seetharamanPr,<BR /> your regex is <CODE>(?ms)Account Name:\s(?&lt;Name&gt;\w*)\nAccount Domain:\s(?&lt;Domain&gt;.*)\nLogon\sID:\s(?&lt;Logon_ID&gt;\w*)</CODE><BR /> as you can see at <A href="https://regex101.com/r/Wmrdhy/1">https://regex101.com/r/Wmrdhy/1</A><BR /> Bye.<BR /> Giuseppe</P> Tue, 22 Nov 2016 13:29:12 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-domain-name-domain-user-name-from-active-directory/m-p/244508#M176183 gcusello 2016-11-22T13:29:12Z