Rex Field Question

johnblakley · ‎05-24-2018

I have a message field in an event id that isn't extracting properly. The part I've having an issue with is when there's a special character in the middle (of unknown length string) of the string.

For example, I can extract "test\user" with no issues, but when I have something like below:

test\user.name
test\user-name
test\username-was-here
test\username-was-not.here$

I'm unable to extract them. I've tried:

rex field=Message "(?<SubjectID>[1-9A-Za-z$].+[-$._].+[1-9A-Za-z$]

I've tried the $ with the \$ as well, but this doesn't provide any results. I've also tried taking the 'test\user-name' field and plug it in directly to see if it was show me a result, but that failed to work as well. Is there a way to do this where I could take into account all scenarios above?

Here's the log entry:

Below is a message that doesn't work due to spaces in the name/ID:

Thanks!

niketn · ‎05-24-2018

[Updated Answer]

Since Security ID: is followed by Account Name:, following regex extracts all characters between the two using .+

<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:"
|  rex field=Message "Security ID:\s+(?<SecurityID>.+)\s+Account Name:" max_match=2
|  eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)

Please try out and confirm!

@johnblakley, please try the following:

<yourBaseSearch> EventCode=4724 Message="*" "Subject:" "Target Account:" "Security ID:"
|  rex field=Message "Security ID:\s+(?<SecurityID>[^\s]+)\s" max_match=2
|  eval SubjectSecurityID=mvindex(SecurityID,0), TargetAccountSecurityID=mvindex(SecurityID,1)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

johnblakley · ‎05-24-2018

This works, but it's also breaking at the space in the security ID.

niketn · ‎05-24-2018

I have updated the Regular Expression please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎05-24-2018

@johnblankley, which field are you trying to extract?
It is Security ID or Account Name or Logon ID? Also is it from Subject or from Target Account?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

johnblakley · ‎05-24-2018

Security ID from both Subject and Target sections.

niketn · ‎05-24-2018

Do you want to extract them as multi-value in the same field or separate fields?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

493669 · ‎05-24-2018

can you provide whole raw data (with important data to be masked) to understand starting and ending to extract id

johnblakley · ‎05-24-2018

This is very close! I had to modify it a little, but I noticed a new issue. How can I take into account the SubjectSecurityID to have a space? What I'm seeing is "NT AUTHORITY\SYSTEM" only shows "NT". I've played around with adding something like "(?\S+\s+\w+), but that's not working.

493669 · ‎05-24-2018

Try this:

...| rex field=Message  "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>.*)Account Name.*Target Account:\nSecurity ID:(?<TargetSecurityID>.*)Account Name"

johnblakley · ‎05-24-2018

Unfortunately, that didn't work. It looks like the message field is one line of characters, so the Subject now becomes the full message when using .*

The result is this:
NT AUTHORITY\SYSTEM Account Name: xxxx$ Account Domain: xxxx Logon ID: 0x3e7

It should just be:
NT AUTHORITY\SYSTEM

493669 · ‎05-24-2018

can you provide whole message where it won't work...

johnblakley · ‎05-24-2018

This seems to have worked...do you see any issues with it?

(?\S+.\w+.\w+)

493669 · ‎05-24-2018

please use 101010 button for query so that no special characters get removed.
it will work only for particular pattern.
have you tried below...it seems to be working..

...| rex field=Message  "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>.*)Account Name.*Target Account:\nSecurity ID:(?<TargetSecurityID>.*)Account Name"

johnblakley · ‎05-24-2018

Added to original post. It's breaking on security IDs with spaces. This is just one example, so the \S+ is stopping at the space.

johnblakley · ‎05-24-2018

Added to original post...thanks!

493669 · ‎05-24-2018

so here are you trying to extract security id?

johnblakley · ‎05-24-2018

Yes for both Subject and Target accounts. My regex works on test sites to capture all special characters, but Splunk doesn't work. It's simple enough to do "\w+[-].+[-].+" and it will find anything with two dashes. Splunk won't complain, but it will return a blank result with rex for the extracted field in

493669 · ‎05-24-2018

try this for Subject accounts

...|rex field=raw "Subject:\nSecurity ID:(?<SubjectSecurityID>\S+)"

johnblakley · ‎05-24-2018

Okay, thank you! Field=raw doesn't work for some reason, but this seems to:

... | rex field=Message "Subject:\s+Security\s+ID:\s+(?<SubjectSecurityID>\S+)" | table SubjectSecurityID

493669 · ‎05-24-2018

now try this for both:

...| rex field=Message "(?ms)Subject:\nSecurity ID:(?<SubjectSecurityID>\S+).*Target Account:\nSecurity ID:(?<TargetSecurityID>\S+)"

Rex Field Question

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?