Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex expression multi line with line break

jared_anderson
Path Finder
‎04-13-2018 01:36 PM

I copied the log from splunk to regex101.com. I am searching against Windows Event Viewer logs. Event Code 4722 and 4720. I am trying to create a new field. I am trying to create a new field 'enableusername' that matches Account Name only for event 4722. Writing regular a regular expression in regex101.com matches, but as soon as i use the rex command it doesn't work.

I tested creating test fields 1 line at a time. My test fields worked correctly until I got the the line break in the log. It fails once we hit the line break in the log. Line 13. 

rex " EventCode=4722(\n.+\s?){8}\s\nSubject:(\n.+\s?){4}\s\n.+\n\s.+\n\sAccount Name:\s\s(?<test>.+?)\n"

04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:        company\server
    Account Name:       server
    Account Domain:     company
    Logon ID:       0x92A3188

Target Account:
    Security ID:        CASEYS\user
    Account Name:       user
    Account Domain:     domain
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-13-2018 03:12 PM

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-13-2018 03:12 PM

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...