Solved: Extracting information via Regex

Michael_Schyma1 · ‎10-11-2012

Subject:

    Security ID:        NULL SID

    Account Name:       -

    Account Domain:     -

    Logon ID:       0x0



Logon Type:         3



Account For Which Logon Failed:

    Security ID:        NULL SID

    Account Name:       MIF3VB0

    Account Domain:     Company

I want to be able to create a regular expression that just grabs the second Account Name In my search under the title account for which logon failed. Does anyone have any suggestions on how i would go about extracting a variable with two values set to it. I am having many problems trying to figure this out. thank you so much

Ayn · ‎10-11-2012

(?msi)Account For Which Logon Failed:.+?Account Name:\s+(\S+)

View solution in original post

Ayn · ‎10-11-2012

(?msi)Account For Which Logon Failed:.+?Account Name:\s+(\S+)

Michael_Schyma1 · ‎10-11-2012

Thank you so much, that works perfectly. I got this to work but it doesnt look as good as yours:

rex field=_raw "Account For Which Logon Failed:\W\s+\w+\W\S+\W\W+\S+\W\S+\W\s+\w+\W\w+:\W\W(?.+?)\W"

Extracting information via Regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation