Hi,
I am trying to search the windows security log for any logs where account_name field contains fire (case insensitive).
sourcetype="WinEventLog:Security" regex Account_Name="/(\w{1,20})?fire(\w{1,20})?/i"
I am using the above search, but it doesn't work. Yet there are accounts which have fire in the name such as Firetestadmin or bluefire123, and there are events for this search.
What am I doing wrong pls?
Thanks
How about:
sourcetype="WinEventLog:Security" | rex "(?i)Account Name:\s+(?<a_fire_account>.*fire.*)"
I recommend that you download the Splunk for Windows technology add-on:
http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on
It does field extractions in windows events for you (so you don't have to worry about rex to much)
Then you can search as follows:
sourcetype="WinEventLog:Security" Account_Name="*fire*"
Try this:
sourcetype="WinEventLog:Security" Account_Name="*fire*"
Thanks anyway 🙂
Looks like chris beat me to it..
How about:
sourcetype="WinEventLog:Security" | rex "(?i)Account Name:\s+(?<a_fire_account>.*fire.*)"
I recommend that you download the Splunk for Windows technology add-on:
http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on
It does field extractions in windows events for you (so you don't have to worry about rex to much)
Then you can search as follows:
sourcetype="WinEventLog:Security" Account_Name="*fire*"
Excellent - Thank you!