Splunk Search

How to Regex the second occurrence of Account Name in AD logs

Log_wrangler
Builder

I need to filter AD logs with Event Code 4725 "A user account was disabled".
I need to regex and filter the second occurrence of "Account Name:" so that I can further filter by account names.
The specific issue is that in each event Message there is a "Service Account Name" associated with the "Target Account: Account Name:" And I only want the Account Name under the Target Account.

Although the formatting is not indented correctly, this is a typical 4725 event.

05/02/2019 10:32:13 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4725
EventType=0
... 1 line omitted ...
ComputerName=123.ds.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=63515116
Keywords=Audit Success
Message=A user account was disabled.
Subject:
Security ID: S-132121123131213
Account Name: Blah-service
Account Domain: DS
Logon ID: 0x2ea0e04f8
Target Account:
Security ID: S-456454313131321
Account Name: BlahBlah
Account Domain: DS

In Regex 101 I can capture the value I need but in splunk I cannot get the rex to work.

Currently I have

index=main  sourcetype=AD_logs EventCode="4725" | rex field = Message "Account Name\:\s+(?<disabled>.+)" | table disabled

but this only gives me the first Account Name: Blah-service when I need the second Account Name: BlahBlah

I cannot find a good example of how to match on the second occurrence of 'Account Name'.

Any help is greatly appreciated.

0 Karma
1 Solution

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

View solution in original post

0 Karma

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

0 Karma

Log_wrangler
Builder

Thank you!

0 Karma

vnravikumar
Champion

Hi

Give a try

your query......| rex field=message max_match=0 "Account Name\:\s+(?P<disabled>.+)" 
| eval disabled= mvindex(disabled,1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...