The below is the windows security logs Message field data.
The Security_ID field is splunk identified and contains 2 values - Domain1\username1 and Domain2\username2.
I want to extract them in search query as 2 different fields using regex say myfield1=Domain1\username1 and myfield2=Domain2\username2.
Any pointers on how to write regex for this would be helpful?
I used the below query
index="win_logs" sourcetype="WinEventLog:Security" (EventCode=4720) | table Message
"A user account was created.
Subject:
Security ID: Domain1\username1
Account Name: username1
Account Domain: Domain1
Logon ID: 0x1005dc243
New Account:
Security ID: Domain2\username2
Account Name: username2
Account Domain: Domain2
Attributes:
SAM Account Name: username2
Display Name: first name, last name
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set:
Account Expires:
Primary Group ID: 513000000
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours:
Additional Information:
Privileges -"
Question: Why do you not use the fields below as they already have the data you're looking for? (Account Name, Domain Name)
This will allow you to use the data in either the entirety (SecurityID), or in parts (Account/Domain Name). Just saying.
Otherwise, if it's just regex practice you could do something like richgalloway posted.
@Itrand, the SecurityID in the Subject para is PerformingUserID and SecurityID in the New Account para is ImpactedUserID. And splunk recognizes both theses values under single field named SecurityID. Hence the need for separate regex.
MuS's comment is a good one. If you insist on using regex, however, this string should get you started:
rex field=Message "Subject:[\s]+?Security ID: (?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID: (?<myfield2>\S+)"
@richgalloway, thanks for the above regex statement. But unfortunately they are not working, myfield1 and myfield2 are blank.
The following works better
rex field=Message "Subject:[\s]+?Security ID:[\s]+(?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID:[\s]+(?<myfield2>\S+)"
Another option would be to take a look at the docs about Windows event monitoring http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata and use the renderXml
option instead of any regex ....
@MuS, not sure if renderXml option will impact the existing 50+ reports created using events in plain text format