Splunk Search
Highlighted

Having trouble grabbing Privileges

Contributor

I am trying to extract the privileges that are listed below, but i do not seem to be having luck with the rex that I have created. Here is the start of what I have done, but nothing is populating when I go to use it. : Privileges:\s(?.+?\s)

08/06/2012 09:39:01 AM
LogName=Security
SourceName=Security
EventCode=576
EventType=8
Type=Success Audit
ComputerName=M573
User=375026
Sid=S-1-5-21-1506843810-3018126377-2026399858-500
SidType=1
Category=4
CategoryString=Privilege Use
RecordNumber=850798
Message=Special privileges assigned to new logon:

User Name:  

Domain:     

Logon ID:       (0x0,0x9149B)

Privileges:     **SeBackupPrivilege
        SeRestorePrivilege
        SeDebugPrivilege
        SeChangeNotifyPrivilege**

08/06/2012 09:39:01 AM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit

Tags (2)
0 Karma
Highlighted

Re: Having trouble grabbing Privileges

Splunk Employee
Splunk Employee

How does this work for you?

Privileges:\s+(?[^']+)[\r|\n]

0 Karma