topic Re: Regex Field Extraction in Splunk Search

Regex Field Extraction

tkwaller — Tue, 29 Sep 2020 09:24:57 GMT

Hello

I am trying to extract the username from windows security event logs. It seems that there are 2 account name fields and I'm trying to extract the second.
04/14/2016 02:15:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=X
EventType=X
Type=X
ComputerName=X
TaskCategory=X
OpCode=X
RecordNumber=X
Keywords=Audit Success
Message=A user account was locked out.

Subject:
Security ID: X
Account Name: Domain Controller
Account Domain: X
Logon ID: X

Account That Was Locked Out:
Security ID: X\me
Account Name: me

I am trying to extract the 2nd Account_Name field( this example I set the field value to me)

Any thoughts on how I could accomplish this? The value will almost certainly be different for the field as it changes often.
What I had was:
rex field=_raw ""Account Name:\s*(?"user"(\w.*))"" (had to use quotes around user as the <> made the value not appear in the text)

But of course that extracts BOTH Account Name fields.

Thanks for any pointers, the help is appreciated!

Re: Regex Field Extraction

ryandg — Thu, 14 Apr 2016 16:20:12 GMT

Do you not have the Windows TA installed? What event code are you seeing this? In my experience the TA extracts each account name as different (Src and Dest user) so I am not sure where/why you wouldn't be seeing such a case if the TA is installed.

Re: Regex Field Extraction

masonmorales — Thu, 14 Apr 2016 16:22:12 GMT

Something like this might work:

| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".

Re: Regex Field Extraction

vasanthmss — Tue, 29 Sep 2020 09:25:02 GMT

Try this,

... | rex field=_raw max_match=100**** ""Account Name:\s*(?"user"(\w.*))""

max_match property gives you to extract the multi values with same regular expression. you can specify your number here i've used 100 matches, you can change it based on your use case.

Read this document for more info,
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Rex

Thanks,
V

Re: Regex Field Extraction

tkwaller — Tue, 29 Sep 2020 09:25:04 GMT

the specific event code Im looking at is: EventCode=4740

Do you mean: Splunk_TA_windows, if so, yes its installed and deployed but there are no fields named (Src and Dest user)

Re: Regex Field Extraction

ryandg — Tue, 29 Sep 2020 09:26:09 GMT

Looking through the TA's Props.conf and transforms.conf now and those fields do have their regex written for them. You installed the Splunk_TA_windows on the search heads? -- Presumably, I'd rather get the TA fixed than have a custom REGEX that only solves one field over all of the fields. Do you have any custom parsers written at the private, app or global level for Windows events? That would be the #1 reason why the TA no longer parses the data.

Re: Regex Field Extraction

somesoni2 — Thu, 14 Apr 2016 17:06:20 GMT

Give this a try (takes the last Account Name appeared in the event)

| rex "([\S*\s*]*[\r|\n])*\s*Account Name\:\s+(?<user>.*)[\r|\n]*"

Re: Regex Field Extraction

tkwaller — Thu, 14 Apr 2016 17:09:51 GMT

Unfortunately both Account Name fields are preceded by Security ID fields

Re: Regex Field Extraction

masonmorales — Thu, 14 Apr 2016 17:45:53 GMT

Just add another line then to give it more context... i.e.

 | rex "Account That Was Locked Out\: \S*[\r|\n]Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

You can also add what should be expected after the field extraction too.

Re: Regex Field Extraction

masonmorales — Thu, 14 Apr 2016 17:47:16 GMT

Also, out of curiosity, what happens if you use the interactive field extractor in Splunk Web?

Re: Regex Field Extraction

tkwaller — Thu, 14 Apr 2016 18:41:43 GMT

That is what I did, thanks!

Re: Regex Field Extraction

tkwaller — Thu, 14 Apr 2016 19:04:26 GMT

So it seems there was an override. I put in the field extraction from above as a temp fix but you are also correct. I will correct this at the source ASAP

Re: Regex Field Extraction

tkwaller — Thu, 14 Apr 2016 19:07:17 GMT

Yes this worked as well BUT with the caveat that it includes BOTH Account Names

Re: Regex Field Extraction

tkwaller — Thu, 14 Apr 2016 19:10:07 GMT

Couldn't get this one to work

Re: Regex Field Extraction

somesoni2 — Thu, 14 Apr 2016 19:17:55 GMT

Ok. Give this as try as well

... | rex  "Account Name:.*([\r\n])*Account Name\:\s+(?<user>.*)[\r|\n]*""

Re: Regex Field Extraction

masonmorales — Thu, 14 Apr 2016 22:42:09 GMT

Can you choose Accept Answer please?

Re: Regex Field Extraction

dmitryyatskiv — Tue, 29 Sep 2020 13:19:04 GMT

| eval subject_account=mvindex(Account_Name, 0) | eval target_account=mvindex(Account_Name, 1) |

Re: Regex Field Extraction

dmitryyatskiv — Tue, 29 Sep 2020 13:19:07 GMT

| eval subject_account=mvindex(Account_Name, 0) | eval target_account=mvindex(Account_Name, 1) |