Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex working on Regex101 but not in splunk

shugup2923
Path Finder
‎03-25-2020 01:05 AM

I am having below event -
Subject:
Security ID: EMEA\abc
Account Name: XXXXXXX
Account Domain: EMEA
Logon ID: XXXXXXX

Member:
Security ID: EMEA\User
Account Name: CN=XXXXXX

Group:
Security ID: XXXXXXXXXXXXXXXXXX
Account Name: XXXXXXXXXXXXXXXXXXX
Account Domain: EMEA

I need to extract Member: Security ID
I have used below regex to extract this-
Member:\n\s+Security\s+ID:\s+(?.*)

It seems to be working in Regex101 but when I use this in Splunk its not working .

Tags (1)
0 Karma
Reply

shugup2923
Path Finder
‎03-25-2020 01:16 AM 
Member:\n\s+Security\s+ID\:\s+(?.*)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:10 AM

Hi @shugup2923,
please use Code Sample button (the one with 101010) to display your regex otherwise it isn't possible to help you.
Only to try in blind mode: did you inserted (?ms) at the beginning of the regex?

(?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)Account

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:40 AM

Try this

 (?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)\s+Account

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...