Hai all,
Need help on to extract as new filed for user named after CORP\
Message=Task Scheduler started "{B9F5A32A-A340-49C1-B620-8C7A439CA849}" instance of the "\Microsoft\Office\OfficeTelemetryAgentFallBack" task for user "CORP\s-ks4"
Thanks
hai for below example event the name need to extract after user key like
want to extract CORP\USHOU-SVC-VMWare
09/28/2022 06:00:00 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=100 EventType=4 ComputerName=USHOUSSUTL01V.corp.amvescap.net User=NOT_TRANSLATED Sid=S-1-5-21-789336058-1757981266-839522115-166804 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=8012022 Keywords=None TaskCategory=Task Started OpCode=Start Message=Task Scheduler started "{A1EB5D56-3AA0-4658-9D3D-D6642DA56541}" instance of the "\DatastoreUsgaeReport - VDI" task for user "CORP\USHOU-SVC-VMWare".
Hi @sekhar463,
please try this:
| rex field=Message "\"CORP\\s-(?<your_field>[^\"]+)"
that you can test at https://regex101.com/r/cer0xU/1
this regex could be different if instead of \s there's a space after CORP.
Ciao.
Giuseppe
Thanks.
how to update if i want to extract after user key word the name which is present
for below example event
09/28/2022 06:00:00 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=100 EventType=4 ComputerName=USHOUSSUTL01V.corp.amvescap.net User=NOT_TRANSLATED Sid=S-1-5-21-789336058-1757981266-839522115-166804 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=8012022 Keywords=None TaskCategory=Task Started OpCode=Start Message=Task Scheduler started "{A1EB5D56-3AA0-4658-9D3D-D6642DA56541}" instance of the "\DatastoreUsgaeReport - VDI" task for user "CORP\USHOU-SVC-VMWare".
| rex "user\s\"(?<username>[^\"]+)\""
Thanks
its not working while trying in regex101
Try this
| rex "CORP\\\\(?<username>[\"]+)\""