I have a Windows event below. This regex, (?ms)^\s+User Name:\s+(?
09/06/2012 08:54:52 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TESTSYSTEM
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=50947147
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
The following regex statement should work. I tested it with a few variation of your example.
(?ms)^\s+User\sName:\s+(?P<user_name>[^\s]+|)
OR
(?ms)^\s+User\sName:\s+(?P<user_name>[^\s]+|)\r
Hope this helps.
Cheers
@cphair, I think I understand your question, maybe. if you know username and domain will always appear together. If you wanted to preform multiple field extractions in the statment you might want to use the |(pipe) to make the match optional. Keep in mind that using the |(pipe) following alternative will be tried if the regex backtraces into the group.
Ok, I think I understand what you are trying to do and the following regex statement should work or at the very least get you most of the way there.
(?m)^\s+(User\sName:\s+(?P
OR
(?m)^\s+((?:User\sName:\s+(?P
Your Formate notation:
FORMAT = account_name::$1 account_name::$2
@bmacias84, if you know the Message format is always the same, can you add "Domain:" to the end of your regex, after the parentheses? Do you really need to perform multi- and single-line matching for a username extraction?
Can you provide a sample of the event extract_accountname is used in?
props.conf
[tcp-raw]
REPORT-extract_names = extract_username, extract_accountname
transforms.conf
[extract_username]
- extracts the user name field in Windows security logs
REGEX = (?ms)^\s+User Name:\s+([^\s]+|)\r
FORMAT = user_name::$1
[extract_accountname]
- extracts the account name field in Windows security logs
REGEX = (?ms)Account For Which Logon Failed.+?Account Name:\s+(\V+)
FORMAT = account_name::$1
It works with the \r at the end in an editor like gskinner.com/regexr. In Splunk, I have two extractions for one sourcetype. One for the username that you helped with and another for account names. The problem I have now is when I add the \r to regex in transforms.conf, the username is no longer extracted, only the account name. I must be missing something.