https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67029#M180462 <P>Try this:</P> <PRE><CODE>sourcetype="WinEventLog:Security" Account_Name="*fire*" </CODE></PRE> Tue, 18 Jun 2013 15:58:06 GMT JSapienza 2013-06-18T15:58:06Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67027#M180460 <P>Hi,</P> <P>I am trying to search the windows security log for any logs where account_name field contains fire (case insensitive).</P> <P><CODE>sourcetype="WinEventLog:Security" regex Account_Name="/(\w{1,20})?fire(\w{1,20})?/i"</CODE></P> <P>I am using the above search, but it doesn't work. Yet there are accounts which have fire in the name such as Firetestadmin or bluefire123, and there are events for this search.</P> <P>What am I doing wrong pls?</P> <P>Thanks</P> Tue, 18 Jun 2013 15:11:58 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67027#M180460 bkeeley 2013-06-18T15:11:58Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67028#M180461 <P>How about:</P> <PRE><CODE>sourcetype="WinEventLog:Security" | rex "(?i)Account Name:\s+(?&lt;a_fire_account&gt;.*fire.*)" </CODE></PRE> <P>I recommend that you download the Splunk for Windows technology add-on:<BR /> <A href="http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on">http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on</A></P> <P>It does field extractions in windows events for you (so you don't have to worry about rex to much)</P> <P>Then you can search as follows:</P> <PRE><CODE>sourcetype="WinEventLog:Security" Account_Name="*fire*" </CODE></PRE> Tue, 18 Jun 2013 15:57:56 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67028#M180461 chris 2013-06-18T15:57:56Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67029#M180462 <P>Try this:</P> <PRE><CODE>sourcetype="WinEventLog:Security" Account_Name="*fire*" </CODE></PRE> Tue, 18 Jun 2013 15:58:06 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67029#M180462 JSapienza 2013-06-18T15:58:06Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67030#M180463 <P>Looks like chris beat me to it..</P> Tue, 18 Jun 2013 15:59:06 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67030#M180463 JSapienza 2013-06-18T15:59:06Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67031#M180464 <P>Excellent - Thank you!</P> Tue, 18 Jun 2013 16:05:34 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67031#M180464 bkeeley 2013-06-18T16:05:34Z https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67032#M180465 <P>Thanks anyway <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Jun 2013 16:05:54 GMT https://community.splunk.com/t5/Splunk-Search/Newb-Searching-within-account-name-field-of-event-log/m-p/67032#M180465 bkeeley 2013-06-18T16:05:54Z