Splunk Search

How to extract password field in the events with regex? (Password is a string of numbers)

kiran331
Builder

How to extract password field in the events?

I need to extract " 123456-222245-666565-151063-123456-222365-333111-110110" from below sample event. Any ideas?

==========================
BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Computer Name: abcde
Volume C: [dfdf]
All Key Protectors
Numerical Password:
ID: {fjkfjsdfsdjfsj,fhndhg}
Password:
123456-222245-666565-151063-123456-222365-333111-110110
TPM:
ID: {vgdsfsdf3D-33dfdsf44F0-A1EBf9A4B88FFF9A8}
PCR Validation Profile:
0, 2, 4, 11
abcde

Thanks
Kiran

Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi kiran331,
try this:

(?ms)\}\s+Password:\s+(?<Password>.*)TPM

or

| rex "(?ms)\}\s+Password:\s+(?<Password>.*)TPM"

you can test it at https://regex101.com/r/5Wp6Tw/1

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kiran331,
try this:

(?ms)\}\s+Password:\s+(?<Password>.*)TPM

or

| rex "(?ms)\}\s+Password:\s+(?<Password>.*)TPM"

you can test it at https://regex101.com/r/5Wp6Tw/1

Bye.
Giuseppe

0 Karma

sbbadri
Motivator

@kiran331

your search | rex field=_raw "Password:\s+(?P<password>.+)\s+TPM:

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...