Splunk Search

Need help on regex

sekhar463
Path Finder

Hai all,

Need help on to extract as new filed for user named after CORP\

Message=Task Scheduler started "{B9F5A32A-A340-49C1-B620-8C7A439CA849}" instance of the "\Microsoft\Office\OfficeTelemetryAgentFallBack" task for user "CORP\s-ks4"

 

Thanks

 

Labels (1)
0 Karma
1 Solution

sekhar463
Path Finder

hai for below example event the name need to extract after user key like 

want to extract CORP\USHOU-SVC-VMWare 

09/28/2022 06:00:00 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=100 EventType=4 ComputerName=USHOUSSUTL01V.corp.amvescap.net User=NOT_TRANSLATED Sid=S-1-5-21-789336058-1757981266-839522115-166804 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=8012022 Keywords=None TaskCategory=Task Started OpCode=Start Message=Task Scheduler started "{A1EB5D56-3AA0-4658-9D3D-D6642DA56541}" instance of the "\DatastoreUsgaeReport - VDI" task for user "CORP\USHOU-SVC-VMWare".

0 Karma

gcusello
Esteemed Legend

Hi @sekhar463,

please try this:

| rex field=Message "\"CORP\\s-(?<your_field>[^\"]+)"

that you can test at https://regex101.com/r/cer0xU/1

this regex could be different if instead of \s there's a space after CORP.

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

Thanks.

how to update if i want to extract after user key word the name which is present 

for below example event

 

09/28/2022 06:00:00 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=100 EventType=4 ComputerName=USHOUSSUTL01V.corp.amvescap.net User=NOT_TRANSLATED Sid=S-1-5-21-789336058-1757981266-839522115-166804 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=8012022 Keywords=None TaskCategory=Task Started OpCode=Start Message=Task Scheduler started "{A1EB5D56-3AA0-4658-9D3D-D6642DA56541}" instance of the "\DatastoreUsgaeReport - VDI" task for user "CORP\USHOU-SVC-VMWare".

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "user\s\"(?<username>[^\"]+)\""
0 Karma

sekhar463
Path Finder

Thanks

its not working while trying in regex101

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| rex "CORP\\\\(?<username>[\"]+)\""
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...