Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex expression multi line with line break

jared_anderson
Path Finder
‎04-13-2018 01:36 PM

I copied the log from splunk to regex101.com. I am searching against Windows Event Viewer logs. Event Code 4722 and 4720. I am trying to create a new field. I am trying to create a new field 'enableusername' that matches Account Name only for event 4722. Writing regular a regular expression in regex101.com matches, but as soon as i use the rex command it doesn't work.

I tested creating test fields 1 line at a time. My test fields worked correctly until I got the the line break in the log. It fails once we hit the line break in the log. Line 13. 

rex " EventCode=4722(\n.+\s?){8}\s\nSubject:(\n.+\s?){4}\s\n.+\n\s.+\n\sAccount Name:\s\s(?<test>.+?)\n"

04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:        company\server
    Account Name:       server
    Account Domain:     company
    Logon ID:       0x92A3188

Target Account:
    Security ID:        CASEYS\user
    Account Name:       user
    Account Domain:     domain
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-13-2018 03:12 PM

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-13-2018 03:12 PM

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...