Splunk Search

Regex Field Extraction

Builder

Hello

I am trying to extract the username from windows security event logs. It seems that there are 2 account name fields and I'm trying to extract the second.
04/14/2016 02:15:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=X
EventType=X
Type=X
ComputerName=X
TaskCategory=X
OpCode=X
RecordNumber=X
Keywords=Audit Success
Message=A user account was locked out.

Subject:
Security ID: X
Account Name: Domain Controller
Account Domain: X
Logon ID: X

Account That Was Locked Out:
Security ID: X\me
Account Name: me

I am trying to extract the 2nd Account_Name field( this example I set the field value to me)

Any thoughts on how I could accomplish this? The value will almost certainly be different for the field as it changes often.
What I had was:
rex field=_raw ""Account Name:\s(?"user"(\w.))"" (had to use quotes around user as the <> made the value not appear in the text)

But of course that extracts BOTH Account Name fields.

Thanks for any pointers, the help is appreciated!

0 Karma
1 Solution

Influencer

Something like this might work:

| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".

View solution in original post

| eval subjectaccount=mvindex(AccountName, 0) | eval targetaccount=mvindex(AccountName, 1) |

0 Karma

SplunkTrust
SplunkTrust

Give this a try (takes the last Account Name appeared in the event)

| rex "([\S*\s*]*[\r|\n])*\s*Account Name\:\s+(?<user>.*)[\r|\n]*"

Builder

Couldn't get this one to work

0 Karma

SplunkTrust
SplunkTrust

Ok. Give this as try as well

... | rex  "Account Name:.*([\r\n])*Account Name\:\s+(?<user>.*)[\r|\n]*""
0 Karma

Motivator

Try this,

... | rex field=raw **maxmatch=100** ""Account Name:\s(?"user"(\w.))""

max_match property gives you to extract the multi values with same regular expression. you can specify your number here i've used 100 matches, you can change it based on your use case.

Read this document for more info,
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Rex

Thanks,
V

Builder

Yes this worked as well BUT with the caveat that it includes BOTH Account Names

0 Karma

Influencer

Something like this might work:

| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".

View solution in original post

Builder

Unfortunately both Account Name fields are preceded by Security ID fields

0 Karma

| eval subjectaccount=mvindex(AccountName, 0) | eval targetaccount=mvindex(AccountName, 1) |

0 Karma

Influencer

Just add another line then to give it more context... i.e.

 | rex "Account That Was Locked Out\: \S*[\r|\n]Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

You can also add what should be expected after the field extraction too.

0 Karma

Builder

That is what I did, thanks!

0 Karma

Influencer

Can you choose Accept Answer please?

0 Karma

Influencer

Also, out of curiosity, what happens if you use the interactive field extractor in Splunk Web?

0 Karma

Communicator

Do you not have the Windows TA installed? What event code are you seeing this? In my experience the TA extracts each account name as different (Src and Dest user) so I am not sure where/why you wouldn't be seeing such a case if the TA is installed.

Builder

the specific event code Im looking at is: EventCode=4740

Do you mean: SplunkTAwindows, if so, yes its installed and deployed but there are no fields named (Src and Dest user)

0 Karma

Communicator

Looking through the TA's Props.conf and transforms.conf now and those fields do have their regex written for them. You installed the SplunkTAwindows on the search heads? -- Presumably, I'd rather get the TA fixed than have a custom REGEX that only solves one field over all of the fields. Do you have any custom parsers written at the private, app or global level for Windows events? That would be the #1 reason why the TA no longer parses the data.

0 Karma

Builder

So it seems there was an override. I put in the field extraction from above as a temp fix but you are also correct. I will correct this at the source ASAP

0 Karma