Splunk Search

Help with regex

vrmandadi
Builder

Below is the sample event

01/15/2019 03:49:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4738
EventType=0
Type=Information
ComputerName=STM12R2DC003.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=2309384837
Keywords=Audit Success
Message=A user account was changed.

Subject:
Security ID: COMPANY\KS3840
Account Name: KS3840
Account Domain: company
Logon ID: 0x94B1FF95

Target Account:
Security ID: COMPANY\BArandallAU8340
Account Name: BArandallAU8340
Account Domain: COMPANY

I am trying to extract the one highlighted an using the following regex which I made using regex.101.It is working in correctly in regex101 but when used the same regex it is throwing error Regex: unmatched closing parenthesis

Regex
(Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account

In Splunk

|rex field=_raw "(Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account"

output

BArandallAU8340

0 Karma

mydog8it
Builder

Without trying to modify your regex, does this help?

|rex field=_raw "((Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account)"
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to escape the parenthesis to avoid this error. You can use a backslash to do it before the parenthesis

Also, I don't see a field name for your regular expression. Try this instead, your field name will be CompanyName

COMPANY\*(?<CompanyName>\w+)
0 Karma

vrmandadi
Builder

I named the field as ABC

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I see it now, regardless the Regex I posted is faster with less steps and should solve your problem

0 Karma

vrmandadi
Builder

I tried yours but it did not extract anything.I am trying to extract only the second account name in the event which is BArandallAU8340

Security ID: COMPANY\BArandallAU8340
Account Name: BArandallAU8340
Account Domain: COMPANY

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you modify your original sample data? It had a * in it previously and now it doesn't which explains why it didn't capture it. I see you have a working solution, please accept the answer to close it out

0 Karma

vrmandadi
Builder

i FIGURED IT OUT

Target\sAccount:\s+Security\sID:\s*COMPANY.(?\w+)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

@vrmandadi can you accept the answer to close this out?

0 Karma