Splunk Search

Trying to extract the value of a field which occurs twice in one event. Regex maybe?

rob_gibson
Path Finder

I am hopeful someone has a suggestion for this reporting issue.

I have an event generated by Microsoft SQL Audit, which is being written to the Windows:Security log on the forwarder. I need to create a search string which captures the value of the 2nd "Account_Name" field, containing the value "userid". However, "Account_Name" field appears twice in each record. As the field name is not unique, my table is showing the value of both fields concatenated into one string.

Source Data Sample;
Subject:
Account Name: hostname1$
New Logon:
Account Name: userid

Table results displayed for "Account_Name";
hostname1$
userid

The following is sample event data (scrubbed);
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=hostname1.network.com
TaskCategory=Logon
OpCode=Info
RecordNumber=559165
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: hostname1$
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 10

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-606747145-790525478-839522115-29674
Account Name: userid
Account Domain: MySubDomain
Logon ID: 0x16ABZ9093
Logon GUID: {00000000-0000-0000-0000-000000000000}

Tags (2)
0 Karma

scottrunyon
Contributor

Rob,

You can set a the query using the "rex" command and then mvindex using "eval".

Something like this -

| rex field=_raw max_match=5 "Account Name:\s+(?\w+\$?)"
| eval Wanted_ID=mvindex(Account_Name,1)

Note – The “1” in the mvindex returns the second instance of “Account Name”, count starts at 0.

Hope this helps,

Scott

rob_gibson
Path Finder

Thanks Scott,

I'm getting errors trying to add this to my search. I think I'm missing something.
Error in 'rex' command: Encountered the following error while compiling the regex 'Account Name:\s+(?\w+\$?)': Regex: unrecognized character after (? or (?-

In your example is 'Account Name: a reference to my existing duplicate field, and Wanted_ID is a new name for the extracted field value?

0 Karma

rob_gibson
Path Finder

Hey I got it to work!

I left out the rex command and just used | eval Account_Name=mvindex(Account_Name,1) | in order to extract the second occurrence of the Account_Name field.

Many thanks Scott!!

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...