Solved: Rex Command Not Working

NightShark · ‎12-06-2023

Hello,

The rex command to catch and group the Accesses multi values are not working even though the results in regex101 are fine. Could you guys tell me what I am missing?

Test Log:

12/12/2012 04:25:13 PM
LogName=Security
EventCode=5145
EventType=0
ComputerName=test.corp
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=2049592111
Keywords=Audit Success
TaskCategory=Detailed File Share
OpCode=Info
Message=A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		User\Test
	Account Name:		Test
	Account Domain:		Test
	Logon ID:		0x117974CE

Network Information:	
	Object Type:		File
	Source Address:		::1
	Source Port:		51234
	
Share Information:
	Share Name:		\\*\C$
	Share Path:		\??\C:\
	Relative Target Name:	Users\Test\Desktop

Access Request Information:
	Access Mask:		0x100081
	Accesses:		SYNCHRONIZE
				ReadData (or ListDirectory)
				ReadAttributes
				
Access Check Results:
	-

Splunk Rex Query:

...
| rex field=Body ".*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"

Thanks,

Regards,

ITWhisperer · ‎12-06-2023

| rex field=Body "(?ms).*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"

View solution in original post

ITWhisperer · ‎12-06-2023

| rex field=Body "(?ms).*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"

NightShark · ‎12-06-2023

Thank you very much, working perfect as intended

Rex Command Not Working

eval

field extraction

fields

regex

rex

search job inspector

stats

subsearch

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Rex Command Not Working