https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296120#M89341 <P>Formatting the submission removed the leading spaces. There is actually a space before Account Name in the real logs. </P> <P>I just checked again. With a field extraction, I am getting a match, but the match includes from user1 to the end of the log. If I take the same expression and use the rex command in search, I get exactly what I want. </P> Fri, 17 Nov 2017 17:16:01 GMT jared_anderson 2017-11-17T17:16:01Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296114#M89335 <P>Data:<BR /> Nov 16 12:50:51 172.23.0.29 Nov 16 12:50:51 dc01 Microsoft_Windows_security_auditing.[1688]: Domain\user1: Security Microsoft Windows security auditing.: [Success Audit] A user account was changed.<BR /> Subject:<BR /> Security ID: domain\value<BR /> Account Name: value<BR /> Account Domain: Domain<BR /> Logon ID: 0xA058EB26<BR /> Target Account:<BR /> Security ID: domain\user1<BR /> Account Name: user1<BR /> Account Domain: domain<BR /> Changed Attributes:<BR /> SAM Account Name: -<BR /> Display Name: -<BR /> User Principal Name: -<BR /> Home Directory: -<BR /> Home Drive: -<BR /> Script Path: -<BR /> Profile Path: -<BR /> User Workstations: -<BR /> Password Last Set: 11/16/2017 12:50:50 PM<BR /> Account Expires: -<BR /> Primary Group ID: -<BR /> AllowedToDelegateTo: -<BR /> Old UAC Value: -<BR /> New UAC Value: -<BR /> User Account Control: -<BR /> User Parameters: -<BR /> SID History: -<BR /> Logon Hours: -<BR /> Additional Information:<BR /> Privileges: - (EventID 4738)</P> <P>Regex Expression: <CODE>Target Account:\n.+\n Account Name: (?&lt;target_user&gt;.+)</CODE></P> <P>Question:<BR /> When I run this regular expression using the rex command it only matches. "user1"</P> <P>When use this regex in a field extraction it matches everything from user1 to the end of the log. Why does this expression return different results depending on how it is used?</P> Tue, 29 Sep 2020 16:53:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296114#M89335 jared_anderson 2020-09-29T16:53:10Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296115#M89336 <P>It appears that your question needs some tweaking. Can you edit your question, or add a comment, and use the <CODE>101010</CODE> button on the highlighted "code" to make sure that there are not going to be characters that are removed due to having the code be interpreted before being displayed. Right now the <CODE>Regex</CODE> expression doesn't seem to be complete, so it is hard to give you help.</P> <P>Thanks!</P> Thu, 16 Nov 2017 21:35:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296115#M89336 cpetterborg 2017-11-16T21:35:46Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296116#M89337 <P>Updated, thanks for the help.</P> Fri, 17 Nov 2017 16:12:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296116#M89337 jared_anderson 2017-11-17T16:12:35Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296117#M89338 <P>It's likely because there's line ending characters that you can't see (printed by MS) on some events, and then sometimes not on others. regex is VERY specific about things, even the ones you can't see. </P> <P>If you use a '.+' it's a lazy match, so just try to be more specific with your anchor characters. MS is not known for it's ease of matching in it's events. They are quite verbose. </P> Fri, 17 Nov 2017 16:49:39 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296117#M89338 tmarlette 2017-11-17T16:49:39Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296118#M89339 <P>I don't understand why it would act differently using the rex command vs an extracted field in the same log.</P> Fri, 17 Nov 2017 16:54:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296118#M89339 jared_anderson 2017-11-17T16:54:22Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296119#M89340 <P>I don't know if it is a typo, but your REGEX has an extra space before <CODE>Account</CODE>. It should be:</P> <PRE><CODE>Target Account:\n.+\nAccount Name: (?&lt;target_user&gt;.+) </CODE></PRE> <P>Like I say, it may be just a typo, but it would not match as you have supplied it.</P> Fri, 17 Nov 2017 16:58:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296119#M89340 cpetterborg 2017-11-17T16:58:51Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296120#M89341 <P>Formatting the submission removed the leading spaces. There is actually a space before Account Name in the real logs. </P> <P>I just checked again. With a field extraction, I am getting a match, but the match includes from user1 to the end of the log. If I take the same expression and use the rex command in search, I get exactly what I want. </P> Fri, 17 Nov 2017 17:16:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296120#M89341 jared_anderson 2017-11-17T17:16:01Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296121#M89342 <P>Are you using the EXTRACT- in props.conf to do the extraction? By default the multiline regex modifier is enabled when doing field extraction that way.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Propsconf#Field_extraction_configuration">props.conf - field extraction</A></P> Fri, 17 Nov 2017 19:47:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296121#M89342 wenthold 2017-11-17T19:47:33Z https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296122#M89343 <P>@wenthold is correct - the field extraction engine is adding the ?ms flags to the start of the regex in your props.conf file. This means that your regex is matching on the whole event as though it's a single line. This can be seen in the documentation too:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&amp;utm_medium=in-answer&amp;utm_term=props.conf&amp;utm_campaign=refdoc#Field_extraction_configuration">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&amp;utm_medium=in-answer&amp;utm_term=props.conf&amp;utm_campaign=refdoc#Field_extraction_configuration</A></P> <P>If your aim is to only extract the target account, I'd recommend using something like the following regex, which will work in field extractions or in the rex command:</P> <PRE><CODE>(?m)Target\sAccount:\n?(?:(?!Changed).+?)\n?Account\sName:\s(?&lt;target_user&gt;.+?)\n?Account </CODE></PRE> <P>This will also block capture of the rest of the event if the field is empty or all on one line, which is what's happening for you at the moment.</P> Tue, 21 Nov 2017 05:55:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-rex-regex-return-different-results-than-field/m-p/296122#M89343 mtulett_splunk 2017-11-21T05:55:09Z