Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex working on Regex101 but not in splunk

shugup2923
Path Finder
‎03-25-2020 01:05 AM

I am having below event -
Subject:
Security ID: EMEA\abc
Account Name: XXXXXXX
Account Domain: EMEA
Logon ID: XXXXXXX

Member:
Security ID: EMEA\User
Account Name: CN=XXXXXX

Group:
Security ID: XXXXXXXXXXXXXXXXXX
Account Name: XXXXXXXXXXXXXXXXXXX
Account Domain: EMEA

I need to extract Member: Security ID
I have used below regex to extract this-
Member:\n\s+Security\s+ID:\s+(?.*)

It seems to be working in Regex101 but when I use this in Splunk its not working .

Tags (1)
0 Karma
Reply

shugup2923
Path Finder
‎03-25-2020 01:16 AM 
Member:\n\s+Security\s+ID\:\s+(?.*)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:10 AM

Hi @shugup2923,
please use Code Sample button (the one with 101010) to display your regex otherwise it isn't possible to help you.
Only to try in blind mode: did you inserted (?ms) at the beginning of the regex?

(?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)Account

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-25-2020 01:40 AM

Try this

 (?ms)Member:\s+Security\s+ID:\s+(?<Security_ID>[^ ]+)\s+Account

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...