topic Re: How to write regex to extract fields with multiple values? in Splunk Search

How to write regex to extract fields with multiple values?

basanthp — Fri, 26 Dec 2014 08:48:42 GMT

The below is the windows security logs Message field data.

The Security_ID field is splunk identified and contains 2 values - Domain1\username1 and Domain2\username2.

I want to extract them in search query as 2 different fields using regex say myfield1=Domain1\username1 and myfield2=Domain2\username2.

Any pointers on how to write regex for this would be helpful?

I used the below query

index="win_logs" sourcetype="WinEventLog:Security" (EventCode=4720) | table Message

"A user account was created.

Subject:
Security ID: Domain1\username1
Account Name: username1
Account Domain: Domain1
Logon ID: 0x1005dc243

New Account:
Security ID: Domain2\username2
Account Name: username2
Account Domain: Domain2

Attributes:
SAM Account Name: username2
Display Name: first name, last name
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set:
Account Expires:
Primary Group ID: 513000000
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours:

Additional Information:
Privileges -"

Re: How to write regex to extract fields with multiple values?

MuS — Fri, 26 Dec 2014 09:24:13 GMT

Another option would be to take a look at the docs about Windows event monitoring http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata and use the renderXml option instead of any regex ....

Re: How to write regex to extract fields with multiple values?

richgalloway — Fri, 26 Dec 2014 13:50:50 GMT

MuS's comment is a good one. If you insist on using regex, however, this string should get you started:

rex field=Message "Subject:[\s]+?Security ID: (?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID: (?<myfield2>\S+)"

Re: How to write regex to extract fields with multiple values?

ltrand — Fri, 26 Dec 2014 21:27:08 GMT

Question: Why do you not use the fields below as they already have the data you're looking for? (Account Name, Domain Name)

This will allow you to use the data in either the entirety (SecurityID), or in parts (Account/Domain Name). Just saying.

Otherwise, if it's just regex practice you could do something like richgalloway posted.

Re: How to write regex to extract fields with multiple values?

basanthp — Tue, 30 Dec 2014 05:08:27 GMT

@MuS, not sure if renderXml option will impact the existing 50+ reports created using events in plain text format

Re: How to write regex to extract fields with multiple values?

basanthp — Tue, 30 Dec 2014 05:09:46 GMT

@richgalloway, thanks for the above regex statement. But unfortunately they are not working, myfield1 and myfield2 are blank.

Re: How to write regex to extract fields with multiple values?

basanthp — Tue, 30 Dec 2014 05:12:32 GMT

@Itrand, the SecurityID in the Subject para is PerformingUserID and SecurityID in the New Account para is ImpactedUserID. And splunk recognizes both theses values under single field named SecurityID. Hence the need for separate regex.

Re: How to write regex to extract fields with multiple values?

rathjunk — Tue, 09 Aug 2016 04:38:27 GMT

The following works better

rex field=Message "Subject:[\s]+?Security ID:[\s]+(?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID:[\s]+(?<myfield2>\S+)"