I have a message field in an event id that isn't extracting properly. The part I've having an issue with is when there's a special character in the middle (of unknown length string) of the string.
For example, I can extract "test\user" with no issues, but when I have something like below:
I'm unable to extract them. I've tried:
rex field=Message "(?<SubjectID>[1-9A-Za-z$].+[-$._].+[1-9A-Za-z$]
I've tried the $ with the \$ as well, but this doesn't provide any results. I've also tried taking the 'test\user-name' field and plug it in directly to see if it was show me a result, but that failed to work as well. Is there a way to do this where I could take into account all scenarios above?
Here's the log entry:
Below is a message that doesn't work due to spaces in the name/ID:
Security ID: is followed by
Account Name:, following regex extracts all characters between the two using
<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:" | rex field=Message "Security ID:\s+(?<SecurityID>.+)\s+Account Name:" max_match=2 | eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)
Please try out and confirm!
@johnblakley, please try the following:
<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:" | rex field=Message "Security ID:\s+(?<SecurityID>[^\s]+)\s" max_match=2 | eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)
@johnblankley, which field are you trying to extract?
It is Security ID or Account Name or Logon ID? Also is it from Subject or from Target Account?
This is very close! I had to modify it a little, but I noticed a new issue. How can I take into account the SubjectSecurityID to have a space? What I'm seeing is "NT AUTHORITY\SYSTEM" only shows "NT". I've played around with adding something like "(?\S+\s+\w+), but that's not working.
Unfortunately, that didn't work. It looks like the message field is one line of characters, so the Subject now becomes the full message when using .*
The result is this:
NT AUTHORITY\SYSTEM Account Name: xxxx$ Account Domain: xxxx Logon ID: 0x3e7
It should just be:
101010 button for query so that no special characters get removed.
it will work only for particular pattern.
have you tried below...it seems to be working..
...| rex field=Message "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>.*)Account Name.*Target Account:\nSecurity ID:(?<TargetSecurityID>.*)Account Name"
Yes for both Subject and Target accounts. My regex works on test sites to capture all special characters, but Splunk doesn't work. It's simple enough to do "\w+[-].+[-].+" and it will find anything with two dashes. Splunk won't complain, but it will return a blank result with rex for the extracted field in