Splunk Enterprise

How to write this regex o get SecurityID value?

sbhatnagar88
Path Finder

 

Can some one help me with Regex to get SecurityID value (in Bold) in Target Account.  Below is sample.rex.PNG

**Event in Text form***

03/23/2022 03:20:16 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=FRDPLIDC1.emea.loreal.intra TaskCategory=User Account Management OpCode=Info RecordNumber=386009504 Keywords=Audit Success Message=A user account was changed.

Subject: Security ID: EMEA\romain.pruneaux-adm Account Name: romain.pruneaux-adm Account Domain: EMEA Logon ID: 0x31BBDCF0

Target Account: Security ID: EMEA\frclichyloftvcL05.01 Account Name: frclichyloftvcL05.01 Account Domain: EMEA

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
Target Account:\s+Security ID:\s+(?<securityId>\S+)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
Target Account:\s+Security ID:\s+(?<securityId>\S+)
0 Karma

sbhatnagar88
Path Finder

@ITWhisperer  - Thank you, didn't realize that was so simple..

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...