Splunk Search

rex expression

pil321
Communicator

I need to extract the account name from this snippet of a Windows security event log:

Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Joe User
    Account Domain: Some.Domain

This is the expression I'm using:

rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s"

Which gives me this result:

 TargetAccount
          Joe

How do I account for the white space to get the rest of the account name to show up in the result?

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

modify your regex in this way

Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)

verify it on https://regex101.com/
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

modify your regex in this way

Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>.*)

verify it on https://regex101.com/
Bye.
Giuseppe

0 Karma

sundareshr
Legend

Try this

.... | rex "Name:\s(?<TargetAccount>[^\n\r]+)"

MuS
Legend

upvoted, because the regex is matching faster 😉

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...