I need to extract the account name from this snippet of a Windows security event log:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Joe User
Account Domain: Some.Domain
This is the expression I'm using:
rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s"
Which gives me this result:
TargetAccount
Joe
How do I account for the white space to get the rest of the account name to show up in the result?
modify your regex in this way
Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)
verify it on https://regex101.com/
Bye.
Giuseppe
modify your regex in this way
Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)
verify it on https://regex101.com/
Bye.
Giuseppe
Try this
.... | rex "Name:\s(?<TargetAccount>[^\n\r]+)"
upvoted, because the regex is matching faster 😉