Splunk Search

Regex Field Extraction

Builder

Hello

I am trying to extract the username from windows security event logs. It seems that there are 2 account name fields and I'm trying to extract the second.
04/14/2016 02:15:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=X
EventType=X
Type=X
ComputerName=X
TaskCategory=X
OpCode=X
RecordNumber=X
Keywords=Audit Success
Message=A user account was locked out.

Subject:
Security ID: X
Account Name: Domain Controller
Account Domain: X
Logon ID: X

Account That Was Locked Out:
Security ID: X\me
Account Name: me

I am trying to extract the 2nd Account_Name field( this example I set the field value to me)

Any thoughts on how I could accomplish this? The value will almost certainly be different for the field as it changes often.
What I had was:
rex field=_raw ""Account Name:\s*(?"user"(\w.*))"" (had to use quotes around user as the <> made the value not appear in the text)

But of course that extracts BOTH Account Name fields.

Thanks for any pointers, the help is appreciated!

0 Karma
1 Solution

Influencer

Something like this might work:

| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".

View solution in original post