https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118348#M31585 <P>Attempting to create a Rex extract during search to extract a field from the message field in winsecurity event logs.</P> <P>Need to extract the Member: information from examples such as:</P> <PRE><CODE>A member was added to a security-enabled local group. Subject: Security ID: Domain1\UserTest Account Name: UserTest Account Domain: Domain1 Logon ID: 0xd8a6824 Member: Security ID: Domain1\TestAdmins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - A member was added to a security-enabled local group. Subject: Security ID: server1\Administrator Account Name: Administrator Account Domain: server1 Logon ID: 0x5aa535 Member: Security ID: Domain1\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - </CODE></PRE> <P>I was able to create a rex that locates the Member: area and extracts the Security ID: which includes the domain\user however when the user or group name has a space It does not extract the entire name.</P> <P>Here is what I have tried so far:</P> <PRE><CODE>rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\S+)" rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\w+\W\w+\s\w+)" </CODE></PRE> <P>I need to find a way for it to extract the domain\user with and without spaces in the name. Is there a way to have the extraction stop once it reaches the word Account? or some other rex that would work?</P> Fri, 23 Jan 2015 19:37:20 GMT rgoody 2015-01-23T19:37:20Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118348#M31585 <P>Attempting to create a Rex extract during search to extract a field from the message field in winsecurity event logs.</P> <P>Need to extract the Member: information from examples such as:</P> <PRE><CODE>A member was added to a security-enabled local group. Subject: Security ID: Domain1\UserTest Account Name: UserTest Account Domain: Domain1 Logon ID: 0xd8a6824 Member: Security ID: Domain1\TestAdmins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - A member was added to a security-enabled local group. Subject: Security ID: server1\Administrator Account Name: Administrator Account Domain: server1 Logon ID: 0x5aa535 Member: Security ID: Domain1\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - </CODE></PRE> <P>I was able to create a rex that locates the Member: area and extracts the Security ID: which includes the domain\user however when the user or group name has a space It does not extract the entire name.</P> <P>Here is what I have tried so far:</P> <PRE><CODE>rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\S+)" rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\w+\W\w+\s\w+)" </CODE></PRE> <P>I need to find a way for it to extract the domain\user with and without spaces in the name. Is there a way to have the extraction stop once it reaches the word Account? or some other rex that would work?</P> Fri, 23 Jan 2015 19:37:20 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118348#M31585 rgoody 2015-01-23T19:37:20Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118349#M31586 <P>Ok why are all the backslashes missing from my post, lol.</P> Fri, 23 Jan 2015 19:38:25 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118349#M31586 rgoody 2015-01-23T19:38:25Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118350#M31587 <P>the same happened to me today <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Fri, 23 Jan 2015 19:41:37 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118350#M31587 aakwah 2015-01-23T19:41:37Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118351#M31588 <P>Try this</P> <PRE><CODE>|rex field=Message "(?ms)Member\:\sSecurity ID\:\s(?&lt;SerurityID&gt;.*)\sAccount\sName" </CODE></PRE> <P>Runanywhere sample search with your example:</P> <PRE><CODE>| gentimes start=-1 | eval temp="A member was added to a security-enabled local group. Subject: Security ID: Domain1\UserTest Account Name: UserTest Account Domain: Domain1 Logon ID: 0xd8a6824 Member: Security ID: Domain1\TestAdmins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -#A member was added to a security-enabled local group. Subject: Security ID: server1\Administrator Account Name: Administrator Account Domain: server1 Logon ID: 0x5aa535 Member: Security ID: Domain1\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as Message |rex field=Message "(?ms)Member\:\sSecurity ID\:\s(?&lt;SerurityID&gt;.*)\sAccount\sName" </CODE></PRE> Fri, 23 Jan 2015 19:53:37 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-for-field-value-with-a-space/m-p/118351#M31588 somesoni2 2015-01-23T19:53:37Z