Solved: rex expression

pil321 · ‎10-05-2016

I need to extract the account name from this snippet of a Windows security event log:

Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Joe User
    Account Domain: Some.Domain

This is the expression I'm using:

rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s"

Which gives me this result:

 TargetAccount
          Joe

How do I account for the white space to get the rest of the account name to show up in the result?

gcusello · ‎10-06-2016

modify your regex in this way

Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)

verify it on https://regex101.com/
Bye.
Giuseppe

gcusello · ‎10-06-2016

modify your regex in this way

Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)

verify it on https://regex101.com/
Bye.
Giuseppe

sundareshr · ‎10-05-2016

Try this

.... | rex "Name:\s(?<TargetAccount>[^\n\r]+)"

MuS · ‎10-05-2016

upvoted, because the regex is matching faster 😉

rex expression