Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex working on Regex101 but not in splunk

shugup2923
Path Finder
‎03-25-2020 01:05 AM

I am having below event -
Subject:
Security ID: EMEA\abc
Account Name: XXXXXXX
Account Domain: EMEA
Logon ID: XXXXXXX

Member:
Security ID: EMEA\User
Account Name: CN=XXXXXX

Group:
Security ID: XXXXXXXXXXXXXXXXXX
Account Name: XXXXXXXXXXXXXXXXXXX
Account Domain: EMEA

I need to extract Member: Security ID
I have used below regex to extract this-
Member:\n\s+Security\s+ID:\s+(?.*)

It seems to be working in Regex101 but when I use this in Splunk its not working .

Tags (1)
0 Karma
Reply

shugup2923
Path Finder
‎03-25-2020 01:16 AM 
Member:\n\s+Security\s+ID\:\s+(?.*)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:10 AM

Hi @shugup2923,
please use Code Sample button (the one with 101010) to display your regex otherwise it isn't possible to help you.
Only to try in blind mode: did you inserted (?ms) at the beginning of the regex?

(?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)Account

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:40 AM

Try this

 (?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)\s+Account

Ciao.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...