Solved: Re: Rex extraction specific example

cburr2012 · ‎08-06-2012

Hello Splunkers,

Problem: Splunk query returns events where "Account_Name" appears twice, thus returning multiple/inaccurate Account Name results.

Solution: I want to rex grab the second instance of Account_Name. Here is an example of output:

Message=An account was successfully logged on.

Subject:
Security ID:        S-1-0-0

Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3

New Logon:
Security ID:        S-1-5-21-1616162011-3457912633-3195248547-20163

Account Name:       johndoe

Account Domain:     THISDOMAIN
Logon ID:       stuff_here
Logon GUID:     {00000000-0000-0000-0000-000000000000}

In this situation, I want to grab "johndoe". I am not sure how to skip all of the lines in between the first Account Name and the second, then precede to pull "johndoe".

Thanks for your answers and help in advance.

hexx · ‎08-06-2012

You have a couple of options.

One is to use a multi-line regular expression and define a capture group targeted at the second occurrence of "Account Name:".

... | rex "(?ms)Account Name:.*?Account Name:\s+(?<account_name>\S+)"

A different, perhaps more flexible way is to define a negative lookahead that will cause the regular expression not to match when "Account Name:" is followed by a hyphen.

... | rex "Account Name:\s+(?!-)(?<account_name>\S+)"

View solution in original post

tiny3001 · ‎11-19-2012

I know this has been answered long ago, but I'm surprised that no one has mentioned eval and mvindex yet. With a multi-value field, you can use mvindex to target the first, second (or third or fourth, etc.) value of a field with the same name.

... 
| eval subject_account=mvindex(Account_Name, 0) 
| eval target_account=mvindex(Account_Name, 1) 
| where target_account = "some_account"

Some events also have an empty target account, in which case you can write an if statement into your eval. See this answer for an example.

http://splunk-base.splunk.com/answers/48096/account_name-field-listing-in-events-4624-4768-and-4769-...

For cases like Account_Name, I find the mvindex to be much easier to use than regular expressions.

hexx · ‎08-06-2012

You have a couple of options.

One is to use a multi-line regular expression and define a capture group targeted at the second occurrence of "Account Name:".

... | rex "(?ms)Account Name:.*?Account Name:\s+(?<account_name>\S+)"

A different, perhaps more flexible way is to define a negative lookahead that will cause the regular expression not to match when "Account Name:" is followed by a hyphen.

... | rex "Account Name:\s+(?!-)(?<account_name>\S+)"

cburr2012 · ‎08-06-2012

Yes, the flavor 🙂 Thanks again.

hexx · ‎08-06-2012

I am not sure what you mean by "Splunk rexing", but if what you are curious about is the flavor of regular expressions that Splunk uses, I can tell you that it's PCRE. If you want to know more about the syntax of the "rex" command and see examples, I would suggest to check this topic in the Search reference manual.

cburr2012 · ‎08-06-2012

Perfect, hexx.

Follow-up Question: Do you know of a good source for Splunk rexing? I don't have much experience with traditional regexing and am not familiar with the difference between the two, if any.

Rex extraction specific example

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation