Splunk Search

Field extraction from a Windows log

vagnet
Explorer

Hi Splunkers,

 

I have prepared a regex extraction using regex101 site, and now trying to extract "Failure Reason" as per below log but for some reason fails.

 

Where is the catch? Should be pretty simple but I am out of ideas now.

 

Search:

 

 

| from datamodel:"Authentication"."Insecure_Authentication" 
| search "*Failure*"
| rex  "Failure\sReason:\t\t(?<Failure_Reason>.*)\n"

 

 

Log:

 

ComputerName=ot.mydomain.com
TaskCategory=Logon
OpCode=Info
RecordNumber=41462650
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		usergeorge$
	Account Domain:		dm
	Logon ID:		0x3E7

Logon Type:			8

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		george1$
	Account Domain:		mydomain.com

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x2t20

 

 

Regards,

vagnet

Labels (2)
Tags (2)
0 Karma
1 Solution

vagnet
Explorer

Hi,

 

The solution is to adjust the quotes on the data model. One easily missed I guess.

| from datamodel:"Authentication.Insecure_Authentication"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\s"

Regards,

Vagnet

View solution in original post

0 Karma

vagnet
Explorer

Hi,

 

The solution is to adjust the quotes on the data model. One easily missed I guess.

| from datamodel:"Authentication.Insecure_Authentication"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\s"

Regards,

Vagnet

0 Karma

vhharanpositka
Path Finder

Hi Vagnet

 

You can try this @vagnet ,

 

| from datamodel:"Authentication"."Insecure_Authentication"
| search "*Failure*"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\n"

0 Karma

vagnet
Explorer

Thanks @vhharanpositka . Same results though

0 Karma

vhharanpositka
Path Finder

Hi @vagnet 

 

This is working for me.

vhharanpositka_0-1635520409205.png

 

0 Karma

vagnet
Explorer

Thanks @vhharanpositka . It works using index searching, but when searching inside the datamodel. This is what I am trying to figure out.

 

Regards,

Vagnet

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...