cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
manojsrms
Engager
Member since: ‎08-10-2021
‎08-11-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎08-10-2021
Activity Feed
View All

Trying to extract fields using regex

by in Splunk Search
‎08-10-2021 09:19 AM
1 Karma
‎08-10-2021 09:19 AM
1 Karma
Hi,  I am new to Splunk environment.  I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$ Where raw Log is -- SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=abc1.abc.aa.abc TaskCategory=Logoff OpCode=Info RecordNumber=12232 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ABC\A12345F123$ Account Name: A123B126$ Account Domain: ABC Logon ID: 0xA01234C Logon Type: 5 Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query --- index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$" Please advise.  Thanks in advance.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-11-2021 08:49 AM
Karma from
View All