Hi,
I am new to Splunk environment.
I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex--
Regex
^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$
Where raw Log is --
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=abc1.abc.aa.abc
TaskCategory=Logoff
OpCode=Info
RecordNumber=12232
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ABC\A12345F123$
Account Name: A123B126$
Account Domain: ABC
Logon ID: 0xA01234C
Logon Type: 5
Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query ---
index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$"
Please advise.
Thanks in advance.
Your regex starts and ends with ^ and $ so it will never match your _raw field as you are looking for
^(?msi)^EventCode=4634...
and your event starts with SourceName=... not EventCode
You don't need double ^^ at the start either. So do either
^(?msi)SourceName=[\w\s\.]+EventCode=4634...
OR
(?msi)EventCode=4634...
hi @manojsrms,
Try running rex separately:
index=*windows*
| rex "Account\sName:\s+(?<ModifiedAccountName>[\w]+[\$])"
| rex "Account\sDomain:\s+(?<ModifiedAccountDomain>[\w]+)"
| rex "Logon\sID:\s+(?<ModifiedLogonID>[\w]+)"
| rex "Logon\sType:\s+(?<ModifiedLogonType>[\d]+)"
If this reply helps you, a like would be appreciated.