Splunk Search

How to Regex the second occurrence of Account Name in AD logs

Log_wrangler
Builder

I need to filter AD logs with Event Code 4725 "A user account was disabled".
I need to regex and filter the second occurrence of "Account Name:" so that I can further filter by account names.
The specific issue is that in each event Message there is a "Service Account Name" associated with the "Target Account: Account Name:" And I only want the Account Name under the Target Account.

Although the formatting is not indented correctly, this is a typical 4725 event.

05/02/2019 10:32:13 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4725
EventType=0
... 1 line omitted ...
ComputerName=123.ds.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=63515116
Keywords=Audit Success
Message=A user account was disabled.
Subject:
Security ID: S-132121123131213
Account Name: Blah-service
Account Domain: DS
Logon ID: 0x2ea0e04f8
Target Account:
Security ID: S-456454313131321
Account Name: BlahBlah
Account Domain: DS

In Regex 101 I can capture the value I need but in splunk I cannot get the rex to work.

Currently I have

index=main  sourcetype=AD_logs EventCode="4725" | rex field = Message "Account Name\:\s+(?<disabled>.+)" | table disabled

but this only gives me the first Account Name: Blah-service when I need the second Account Name: BlahBlah

I cannot find a good example of how to match on the second occurrence of 'Account Name'.

Any help is greatly appreciated.

0 Karma
1 Solution

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

View solution in original post

0 Karma

yeahnah
Communicator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

0 Karma

Log_wrangler
Builder

Thank you!

0 Karma

vnravikumar
Champion

Hi

Give a try

your query......| rex field=message max_match=0 "Account Name\:\s+(?P<disabled>.+)" 
| eval disabled= mvindex(disabled,1)
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...