Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex expression to extract fields

cgbsplunk
Explorer
‎10-27-2021 10:59 AM

I have two fields below that show up in our log files.  I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that didn't extract.  Is there a simple Regex I can use to extract ObjectType and Domain Controller fields in example below?  Values should never have space so we can end value after first space.

ObjectType User

Domain Controller TSTETCDRS001

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-27-2021 12:51 PM

And simple

Object\s+Type\s+(?<Object Type>\w+)

Doesn't work?

Same for the other one

Domain\s+Controller\s+(?<Domain Controller>\w+)

Check your regexes on https://regex101.com

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-27-2021 12:51 PM

And simple

Object\s+Type\s+(?<Object Type>\w+)

Doesn't work?

Same for the other one

Domain\s+Controller\s+(?<Domain Controller>\w+)

Check your regexes on https://regex101.com

0 Karma
Reply
Solved! Jump to solution

cgbsplunk
Explorer
‎10-27-2021 02:08 PM

Really appreciate the help.  That worked for those 2.  I also need one for Target.  I tried this:

Target\s+(?<Target>\w+)

But with a value of this:

Target ABCDE\test.user

I only get the ABCDE.  How do I change the expression to get the entire ABCDE\test.user

 

0 Karma
Reply
Solved! Jump to solution

cgbsplunk
Explorer
‎10-27-2021 02:28 PM

I was able to get this to work by changing w to S like this:

Target\s+(?<Target>\S+)

Thanks again for the help

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-27-2021 12:19 PM

Show us a sample of your full events.

0 Karma
Reply
Solved! Jump to solution

cgbsplunk
Explorer
‎10-27-2021 12:46 PM

These are coming from windows event logs.  Some of the fields are in name value pairs and extract on their own but last 4 fields are the ones I need expressions for.  Here is example of entire message:

10/27/2021 02:39:17 PM
LogName=Application
EventCode=16117
EventType=0
ComputerName=XXXXXXXXX002.xxxx.com
User=NOT_TRANSLATED
Sid=S-1-5-21-114000000-41296648-3127784425-637889
SidType=0
SourceName=AdminSvc
Type=Information
RecordNumber=1502524
Keywords=Audit Success, Classic
TaskCategory=SetInfo
OpCode=None
Message=Action SetInfo
ObjectType Computer
AssistantAdmin xxxx\xxxxx
Target xxxxx\xxxx-xxxx$
Domain Controller xxxxxx06
AccountDisabled

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top