Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write regex to extract fields with multiple values?

basanthp
Path Finder
‎12-26-2014 12:48 AM

The below is the windows security logs Message field data.

The Security_ID field is splunk identified and contains 2 values - Domain1\username1 and Domain2\username2.

I want to extract them in search query as 2 different fields using regex say myfield1=Domain1\username1 and myfield2=Domain2\username2.

Any pointers on how to write regex for this would be helpful?

I used the below query

index="win_logs" sourcetype="WinEventLog:Security" (EventCode=4720) | table Message

"A user account was created.

Subject:
Security ID: Domain1\username1
Account Name: username1
Account Domain: Domain1
Logon ID: 0x1005dc243

New Account:
Security ID: Domain2\username2
Account Name: username2
Account Domain: Domain2

Attributes:
SAM Account Name: username2
Display Name: first name, last name
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set:
Account Expires:
Primary Group ID: 513000000
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours:

Additional Information:
Privileges -"

Reply

ltrand
Contributor
‎12-26-2014 01:27 PM

Question: Why do you not use the fields below as they already have the data you're looking for? (Account Name, Domain Name)

This will allow you to use the data in either the entirety (SecurityID), or in parts (Account/Domain Name). Just saying.

Otherwise, if it's just regex practice you could do something like richgalloway posted.

0 Karma
Reply

basanthp
Path Finder
‎12-29-2014 09:12 PM

@Itrand, the SecurityID in the Subject para is PerformingUserID and SecurityID in the New Account para is ImpactedUserID. And splunk recognizes both theses values under single field named SecurityID. Hence the need for separate regex.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2014 05:50 AM

MuS's comment is a good one. If you insist on using regex, however, this string should get you started:

rex field=Message "Subject:[\s]+?Security ID: (?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID: (?<myfield2>\S+)"
---
If this reply helps you, Karma would be appreciated.
Reply

basanthp
Path Finder
‎12-29-2014 09:09 PM

@richgalloway, thanks for the above regex statement. But unfortunately they are not working, myfield1 and myfield2 are blank.

0 Karma
Reply

rathjunk
Engager
‎08-08-2016 09:38 PM

The following works better

rex field=Message "Subject:[\s]+?Security ID:[\s]+(?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID:[\s]+(?<myfield2>\S+)"
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-26-2014 01:24 AM

Another option would be to take a look at the docs about Windows event monitoring http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata and use the renderXml option instead of any regex ....

0 Karma
Reply

basanthp
Path Finder
‎12-29-2014 09:08 PM

@MuS, not sure if renderXml option will impact the existing 50+ reports created using events in plain text format

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...