I am trying to extract the username from windows security event logs. It seems that there are 2 account name fields and I'm trying to extract the second.
04/14/2016 02:15:41 PM
SourceName=Microsoft Windows security auditing.
Message=A user account was locked out.
Security ID: X
Account Name: Domain Controller
Account Domain: X
Logon ID: X
Account That Was Locked Out:
Security ID: X\me
Account Name: me
I am trying to extract the 2nd Account_Name field( this example I set the field value to me)
Any thoughts on how I could accomplish this? The value will almost certainly be different for the field as it changes often.
What I had was:
rex field=_raw ""Account Name:\s*(?"user"(\w.*))"" (had to use quotes around user as the <> made the value not appear in the text)
But of course that extracts BOTH Account Name fields.