Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

att35
Builder
‎09-05-2024 10:10 AM

Need some help in extracting Group Membership details from Windows Event Code 4627.

As explained in this answer,

https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/470417

following seems to be working to extract Group_name, but capture doesn't stop once the group list ends. Instead, it continues to match everything till end of line. I experimented with (?ms) and (?m) but didnt have any succes. 

 

 

 

"(?ms)(?:^Group Membership:\t\t\t|\G(?!^))\r?\n[\t ]*(?:[^\\\r\n]*\\\)*(?<Group_name>(.+))"

 

 

 

 

 

09/04/2024 11:59:59 PM
LogName=Security
EventCode=4627
EventType=0
ComputerName=DCServer.domain.x.y
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=64222222324
Keywords=Audit Success
TaskCategory=Group Membership
OpCode=Info
Message=Group membership information.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		DCServer$
	Account Domain:		Domain
	Logon ID:		0x1111

Logon Type:			3

New Logon:
	Security ID:		Domain\Account
	Account Name:		Account
	Account Domain:		Domain
	Logon ID:		0x5023236

Event in sequence:		1 of 1

Group Membership:			
		Domain\Group1
		Group2
		BUILTIN\Group3
		BUILTIN\Group4
		BUILTIN\Group5
		BUILTIN\Group6
		NT AUTHORITY\NETWORK
		NT AUTHORITY\Authenticated Users
		Domain\Group7

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

 

 

 

When I use this regex, it does capture starting from the Group list but continues on till the end of event.

Group_name.png

How can I tell regex to stop matching once the group list ends? Also, this regex seems to be putting all groups as a single match. Is it possible to make it multi-valued, so that we can count total number of groups present in a given event, e.g. 9 groups in the event example above.

 

Thanks,

~Abhi

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2024 11:17 AM 
| rex max_match=0 "(?m)^\t\t+(?<Group_name>.+)$"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2024 11:17 AM 
| rex max_match=0 "(?m)^\t\t+(?<Group_name>.+)$"
Reply
Solved! Jump to solution

att35
Builder
‎09-05-2024 07:56 PM

Thanks @ITWhisperer 

That worked perfectly. 

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...