Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field extraction from a Windows log

vagnet
Explorer
‎10-29-2021 06:16 AM

Hi Splunkers,

 

I have prepared a regex extraction using regex101 site, and now trying to extract "Failure Reason" as per below log but for some reason fails.

 

Where is the catch? Should be pretty simple but I am out of ideas now.

 

Search:

 

 

| from datamodel:"Authentication"."Insecure_Authentication" 
| search "*Failure*"
| rex  "Failure\sReason:\t\t(?<Failure_Reason>.*)\n"

 

 

Log:

 

ComputerName=ot.mydomain.com
TaskCategory=Logon
OpCode=Info
RecordNumber=41462650
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		usergeorge$
	Account Domain:		dm
	Logon ID:		0x3E7

Logon Type:			8

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		george1$
	Account Domain:		mydomain.com

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x2t20

 

 

Regards,

vagnet

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vagnet
Explorer
‎10-29-2021 08:58 AM

Hi,

 

The solution is to adjust the quotes on the data model. One easily missed I guess.

| from datamodel:"Authentication.Insecure_Authentication"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\s"

Regards,

Vagnet

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vagnet
Explorer
‎10-29-2021 08:58 AM

Hi,

 

The solution is to adjust the quotes on the data model. One easily missed I guess.

| from datamodel:"Authentication.Insecure_Authentication"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\s"

Regards,

Vagnet

0 Karma
Reply
Solved! Jump to solution

vhharanpositka
Path Finder
‎10-29-2021 06:31 AM

Hi Vagnet

 

You can try this @vagnet ,

 

| from datamodel:"Authentication"."Insecure_Authentication"
| search "*Failure*"
| rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\n"

0 Karma
Reply
Solved! Jump to solution

vagnet
Explorer
‎10-29-2021 07:00 AM

Thanks @vhharanpositka . Same results though

0 Karma
Reply
Solved! Jump to solution

vhharanpositka
Path Finder
‎10-29-2021 08:14 AM

Hi @vagnet 

 

This is working for me.

vhharanpositka_0-1635520409205.png

 

0 Karma
Reply
Solved! Jump to solution

vagnet
Explorer
‎10-29-2021 08:21 AM

Thanks @vhharanpositka . It works using index searching, but when searching inside the datamodel. This is what I am trying to figure out.

 

Regards,

Vagnet

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...