Archive
Highlighted

Regex working on Regex101 but not in splunk

Explorer

I am having below event -
Subject:
Security ID: EMEA\abc
Account Name: XXXXXXX
Account Domain: EMEA
Logon ID: XXXXXXX

Member:
Security ID: EMEA\User
Account Name: CN=XXXXXX

Group:
Security ID: XXXXXXXXXXXXXXXXXX
Account Name: XXXXXXXXXXXXXXXXXXX
Account Domain: EMEA

I need to extract Member: Security ID
I have used below regex to extract this-
Member:\n\s+Security\s+ID:\s+(?.*)

It seems to be working in Regex101 but when I use this in Splunk its not working .

Tags (1)
0 Karma
Highlighted

Re: Regex working on Regex101 but not in splunk

Legend

Hi @shugup2923,
please use Code Sample button (the one with 101010) to display your regex otherwise it isn't possible to help you.
Only to try in blind mode: did you inserted (?ms) at the beginning of the regex?

(?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)Account

Ciao.
Giuseppe

0 Karma
Highlighted

Re: Regex working on Regex101 but not in splunk

Legend

Try this

 (?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)\s+Account

Ciao.
Giuseppe

0 Karma
Highlighted

Re: Regex working on Regex101 but not in splunk

Explorer
Member:\n\s+Security\s+ID\:\s+(?.*)
0 Karma