Solved: How to extract password field in the events with r...

kiran331 · ‎10-20-2017

How to extract password field in the events?

I need to extract " 123456-222245-666565-151063-123456-222365-333111-110110" from below sample event. Any ideas?

==========================
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Computer Name: abcde
Volume C: [dfdf]
All Key Protectors
Numerical Password:
ID: {fjkfjsdfsdjfsj,fhndhg}
Password:
123456-222245-666565-151063-123456-222365-333111-110110
TPM:
ID: {vgdsfsdf3D-33dfdsf44F0-A1EBf9A4B88FFF9A8}
PCR Validation Profile:
0, 2, 4, 11
abcde

Thanks
Kiran

gcusello · ‎10-21-2017

Hi kiran331,
try this:

(?ms)\}\s+Password:\s+(?<Password>.*)TPM

or

| rex "(?ms)\}\s+Password:\s+(?<Password>.*)TPM"

you can test it at https://regex101.com/r/5Wp6Tw/1

Bye.
Giuseppe

View solution in original post

gcusello · ‎10-21-2017

Hi kiran331,
try this:

(?ms)\}\s+Password:\s+(?<Password>.*)TPM

or

| rex "(?ms)\}\s+Password:\s+(?<Password>.*)TPM"

you can test it at https://regex101.com/r/5Wp6Tw/1

Bye.
Giuseppe

sbbadri · ‎10-20-2017

@kiran331

your search | rex field=_raw "Password:\s+(?P<password>.+)\s+TPM:

How to extract password field in the events with regex? (Password is a string of numbers)

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies