Splunk Search

How to Regex the second occurrence of Account Name in AD logs

Log_wrangler
Builder

I need to filter AD logs with Event Code 4725 "A user account was disabled".
I need to regex and filter the second occurrence of "Account Name:" so that I can further filter by account names.
The specific issue is that in each event Message there is a "Service Account Name" associated with the "Target Account: Account Name:" And I only want the Account Name under the Target Account.

Although the formatting is not indented correctly, this is a typical 4725 event.

05/02/2019 10:32:13 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4725
EventType=0
... 1 line omitted ...
ComputerName=123.ds.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=63515116
Keywords=Audit Success
Message=A user account was disabled.
Subject:
Security ID: S-132121123131213
Account Name: Blah-service
Account Domain: DS
Logon ID: 0x2ea0e04f8
Target Account:
Security ID: S-456454313131321
Account Name: BlahBlah
Account Domain: DS

In Regex 101 I can capture the value I need but in splunk I cannot get the rex to work.

Currently I have

index=main  sourcetype=AD_logs EventCode="4725" | rex field = Message "Account Name\:\s+(?<disabled>.+)" | table disabled

but this only gives me the first Account Name: Blah-service when I need the second Account Name: BlahBlah

I cannot find a good example of how to match on the second occurrence of 'Account Name'.

Any help is greatly appreciated.

0 Karma
1 Solution

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

View solution in original post

0 Karma

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

0 Karma

Log_wrangler
Builder

Thank you!

0 Karma

vnravikumar
Champion

Hi

Give a try

your query......| rex field=message max_match=0 "Account Name\:\s+(?P<disabled>.+)" 
| eval disabled= mvindex(disabled,1)
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...