topic Re: Regex working on Regex101 but not in splunk in Splunk Search

Regex working on Regex101 but not in splunk

shugup2923 — Wed, 25 Mar 2020 08:05:15 GMT

I am having below event -
Subject:
Security ID: EMEA\abc
Account Name: XXXXXXX
Account Domain: EMEA
Logon ID: XXXXXXX

Member:
Security ID: EMEA\User
Account Name: CN=XXXXXX

Group:
Security ID: XXXXXXXXXXXXXXXXXX
Account Name: XXXXXXXXXXXXXXXXXXX
Account Domain: EMEA

I need to extract Member: Security ID
I have used below regex to extract this-
Member:\n\s+Security\s+ID:\s+(?.*)

It seems to be working in Regex101 but when I use this in Splunk its not working .

Re: Regex working on Regex101 but not in splunk

gcusello — Wed, 25 Mar 2020 08:10:57 GMT

Hi @shugup2923,
please use Code Sample button (the one with 101010) to display your regex otherwise it isn't possible to help you.
Only to try in blind mode: did you inserted (?ms) at the beginning of the regex?

(?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)Account

Ciao.
Giuseppe

Re: Regex working on Regex101 but not in splunk

shugup2923 — Wed, 25 Mar 2020 08:16:11 GMT

Member:\n\s+Security\s+ID\:\s+(?.*)

Re: Regex working on Regex101 but not in splunk

gcusello — Wed, 25 Mar 2020 08:40:15 GMT

Try this

 (?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)\s+Account

Ciao.
Giuseppe