Hi, I am new to Splunk environment. I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$ Where raw Log is -- SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=abc1.abc.aa.abc TaskCategory=Logoff OpCode=Info RecordNumber=12232 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ABC\A12345F123$ Account Name: A123B126$ Account Domain: ABC Logon ID: 0xA01234C Logon Type: 5 Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query --- index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$" Please advise. Thanks in advance.
... View more