Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I create a regex for the following? Too long for field extractor

tkerr357
Observer
‎03-14-2022 01:30 PM

Hello all,

 

For some reason, I think these events are too long for me to use the field extractor so I was hoping for some help creating some regex.  I am looking to extract Account Name, Source Network Address and Workstation Name. Any assistance would be much appreciated. 

Sample eventSample event

Labels (1)
Labels
0 Karma
Reply

Bennette
Explorer
‎03-14-2022 02:52 PM

You say "I think these events are too long for me to use the field extractor," so apparently you've tried some things and they failed.  Your events don't seem overly long to me.  Can you show us what you tried and how it failed?  What messages, partial results, or errors did you receive?

0 Karma
Reply

tkerr357
Observer
‎03-14-2022 04:43 PM

when I attempt to extract fields from a sample event it only provides me with the following not the entire body of the event which is an issue considering most of the information I need is towards the bottom. There is no scroll bar nor can I scroll down with an arrow key. 

 

tkerr357_0-1647301361181.png

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2022 02:50 PM

First, please post sample data in text instead of screenshot.  Second, "Account Name" appears under two headings.  I assume that the one under "New Logon" is relevant.  The following should get you started:

| rex "New Logon:\s*Account Name:\s*(?<account_name>.*)"
| rex "Source Network Address:\s*(?<source_network_address>.*)"
| rex "Workstation Name:\s*(?<workstation_name>.*)"
0 Karma
Reply

tkerr357
Observer
‎03-14-2022 04:40 PM

Here is a sample event in text form.

 

3/14/22
7:38:32.000 PM
 
03/14/2022 07:38:32 PM LogName=Security EventCode=4624 EventType=0 ComputerName=RNVSASP246.rightnetworks.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=96042977 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: RNVSASP246$ Account Domain: RIGHTNETWORKS Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: RIGHTNETWORKS\WLoginPI153 Account Name: wloginpi153 Account Domain: RIGHTNETWORKS Logon ID: 0x293A0D05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4C2509FA-3019-EB53-B3C9-D23576728AAC} Process Information: Process ID: 0x370 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RNVSASP246 Source Network Address: 10.40.9.13 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...