Splunk Search

How to Regex the second occurrence of Account Name in AD logs

Log_wrangler
Builder

I need to filter AD logs with Event Code 4725 "A user account was disabled".
I need to regex and filter the second occurrence of "Account Name:" so that I can further filter by account names.
The specific issue is that in each event Message there is a "Service Account Name" associated with the "Target Account: Account Name:" And I only want the Account Name under the Target Account.

Although the formatting is not indented correctly, this is a typical 4725 event.

05/02/2019 10:32:13 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4725
EventType=0
... 1 line omitted ...
ComputerName=123.ds.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=63515116
Keywords=Audit Success
Message=A user account was disabled.
Subject:
Security ID: S-132121123131213
Account Name: Blah-service
Account Domain: DS
Logon ID: 0x2ea0e04f8
Target Account:
Security ID: S-456454313131321
Account Name: BlahBlah
Account Domain: DS

In Regex 101 I can capture the value I need but in splunk I cannot get the rex to work.

Currently I have

index=main  sourcetype=AD_logs EventCode="4725" | rex field = Message "Account Name\:\s+(?<disabled>.+)" | table disabled

but this only gives me the first Account Name: Blah-service when I need the second Account Name: BlahBlah

I cannot find a good example of how to match on the second occurrence of 'Account Name'.

Any help is greatly appreciated.

0 Karma
1 Solution

yeahnah
Motivator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

View solution in original post

0 Karma

yeahnah
Motivator

If using rex (there are other KV extraction options using transforms) then you can pass it its max_match option and, if "Account Name" is found twice, then the disabled field will be multi-valued, which can then be tested for both fields with the 2nd field being set, as below
...
| rex field=Message max_match=2 "Account Name: (?.+)"
| eval disabled=if(mvcount(disabled)=2, mvindex(disabled, 1), disabled)

Hope this helps.

0 Karma

Log_wrangler
Builder

Thank you!

0 Karma

vnravikumar
Champion

Hi

Give a try

your query......| rex field=message max_match=0 "Account Name\:\s+(?P<disabled>.+)" 
| eval disabled= mvindex(disabled,1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...