Splunk Search

How to write regex to extract fields with multiple values?

Path Finder

The below is the windows security logs Message field data.

The Security_ID field is splunk identified and contains 2 values - Domain1\username1 and Domain2\username2.

I want to extract them in search query as 2 different fields using regex say myfield1=Domain1\username1 and myfield2=Domain2\username2.

Any pointers on how to write regex for this would be helpful?

I used the below query

index="win_logs" sourcetype="WinEventLog:Security" (EventCode=4720) | table Message

"A user account was created.

Security ID: Domain1\username1
Account Name: username1
Account Domain: Domain1
Logon ID: 0x1005dc243

New Account:
Security ID: Domain2\username2
Account Name: username2
Account Domain: Domain2

SAM Account Name: username2
Display Name: first name, last name
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set:
Account Expires:
Primary Group ID: 513000000
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours:

Additional Information:
Privileges -"


Question: Why do you not use the fields below as they already have the data you're looking for? (Account Name, Domain Name)

This will allow you to use the data in either the entirety (SecurityID), or in parts (Account/Domain Name). Just saying.

Otherwise, if it's just regex practice you could do something like richgalloway posted.

0 Karma

Path Finder

@Itrand, the SecurityID in the Subject para is PerformingUserID and SecurityID in the New Account para is ImpactedUserID. And splunk recognizes both theses values under single field named SecurityID. Hence the need for separate regex.

0 Karma


MuS's comment is a good one. If you insist on using regex, however, this string should get you started:

rex field=Message "Subject:[\s]+?Security ID: (?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID: (?<myfield2>\S+)"
If this reply helps you, an upvote would be appreciated.

Path Finder

@richgalloway, thanks for the above regex statement. But unfortunately they are not working, myfield1 and myfield2 are blank.

0 Karma


The following works better

rex field=Message "Subject:[\s]+?Security ID:[\s]+(?<myfield1>\S+)[\s\S]+?New Account:[\s]+?Security ID:[\s]+(?<myfield2>\S+)"
0 Karma


Another option would be to take a look at the docs about Windows event monitoring http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata and use the renderXml option instead of any regex ....

0 Karma

Path Finder

@MuS, not sure if renderXml option will impact the existing 50+ reports created using events in plain text format

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...