topic Re: Generating a RegEx/ prop change doesnt work in Splunk Search

Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Fri, 20 Jul 2012 19:18:14 GMT

07/20/2012 05:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4726 EventType=0 Type=Information ComputerName=DCSERVER TaskCategory=User Account Management OpCode=Info RecordNumber=17011111115 Keywords=Audit Success Message=A user account was deleted. Subject: Security ID: DOMAIN\SECID Account Name: SECID Account Domain: DOMAINNAME Logon ID: 0x6e46ffd0 Target Account: Security ID: S-3-5-21-2246893-1118314593-79235642-331713 Account Name: acctname Account Domain: DOMAIN Additional Information: Privileges -

We are able to parse the message for Account Name, but both account names are in the results:

SECID
acctname

We would like to create a field extraction to provide only the second Account Name: acctname

acctname

We would like to create a regex expression for this since the change to the prop did not work. Thank you for any help that can be given.

Re: Generating a RegEx/ prop change doesnt work

lguinn2 — Fri, 20 Jul 2012 23:57:30 GMT

Here are two field extractions, one for each! In props.conf

[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="(?<!SECID )Account Name: (?P<account_name>\S+)"

The second extraction uses a "negative look behind" to only match when Account Name is not preceded by SECID.
Let us know if that doesn't work...

BTW, I highly recommend the book Teach Yourself Regular Expressions in 10 Minutes by Ben Forta if you are going to be doing a lot of this sort of thing - along with a good PCRE reference book.

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Mon, 23 Jul 2012 11:15:11 GMT

Thank you for your response

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Mon, 23 Jul 2012 12:35:54 GMT

We edited the props.conf. We are running our search and are calling WinEventLog: Security. I still can not get the results that are needed. We were wondering if this would be possible to do with just a REX. All we need is the second account name. Any help would be great. Thank you.

Re: Generating a RegEx/ prop change doesnt work

sowings — Mon, 23 Jul 2012 13:26:54 GMT

The rex statement would be the same as posted above as the right hand side of "EXTRACT-e2". If that's not working from rex in a search, you'll need to adjust it until it does. Perhaps there are tabs or multiple spaces between "Name: " and the text you're trying to retrieve. Consider:

(?<!SECID )Account Name:\s+(?P<account_name>\S+)

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Mon, 23 Jul 2012 15:33:49 GMT

IT is still matching both of the account names instead of just the second one in my raw data.

Re: Generating a RegEx/ prop change doesnt work

lguinn2 — Tue, 24 Jul 2012 08:50:41 GMT

Since my first answer didn't work, here is proposal #2

[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"

This does not use the negative look-behind, but it does assume that the Account Name will always be followed by the Account Domain.

And as sowings pointed out, the regular expression could be used in the rex command as well as in props.conf.

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Tue, 24 Jul 2012 11:47:06 GMT

I have still been trying to just generate a rex. It selects both of the Account Name's still. I thank you so much for your help, it just doesnt seem to work in RegExr, or the splunk rex generator.

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Tue, 24 Jul 2012 14:24:51 GMT

Does anyone have any other suggestions because i can not get it to work??

Re: Generating a RegEx/ prop change doesnt work

lguinn2 — Tue, 24 Jul 2012 15:01:13 GMT

So you did something like this:

sourcetype=WinEventLog:Security | rex field=_raw "Account Name:\s+(?P<account_name>\S+)\s+Account Domain" | table account_name EventCode

and you still got two account names?

Re: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 — Tue, 24 Jul 2012 15:27:06 GMT

No i did not get two name accounts, but i got information from both instead of justs the second account name

Re: Generating a RegEx/ prop change doesnt work

Gilberto_Castil — Mon, 28 Sep 2020 12:08:11 GMT

Hi Michael,

Assuming the first "Account Name" field in the event is SECID_account_name and the second is just account_name, the following should work:

In-line search

sourcetype=blah blah blah | rex field=_raw "Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$" | fields SECID_account_name account_name

To automate this extraction in props.conf, the entry under your stanza should be:

[yoursourcetypehere]
EXTRACT-accounts = Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$

I am pretty sure this should work -if there are always two "Account Name" fiels entries in each event.

Re: Generating a RegEx/ prop change doesnt work

lguinn2 — Wed, 25 Jul 2012 02:58:26 GMT

Attempt #3:

Part of the problem may be that there are already field extractions defined for sourcetype WinEventLog:Security. To override them, put this stanza in this location: $SPLUNK_HOME\etc\system\local\props.conf

[WinEventLog:Security]
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"

This will not eliminate other fields. If you still find that account_name is a multi-valued field, I suggest that you use a different name, such as acct_name, that is not already being used.

Yes, you could go ferret out where all the Windows Event Log fields are defined, and change them, but then the dashboards, etc. that are built into the Splunk for Windows app will stop working...