I am searching the Windows Event, 'Message' body and trying to get the 2nd 'Account Name:' value only. Maybe the problem is that 'Account Name:' has two different values after it. The first is always a computer object and the second is the user or service account. Most of what I have tried gets me only the first value, or both the first and second. Getting only the 2nd value has evaded me. It seems like it would be a common hurdle to encounter with Windows events since a high percentage of the events have both. Message=An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: ComputerAccount$ Account Domain: Domain Logon ID: 0x3E8 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: svc_account Account Domain: Domain Failure Information: Failure Reason: Account locked out. Status: 0xC0000236 Sub Status: 0x0 ++++ Failed attempts thus far: | rex "(?ms)^Message\=(?<Message2>.+)\.$" | rex "(?ms).*Account Name:\s+(?<Account_Name>\S+)" | rex "(?ms)^Message\=(?<Message2>.+)\.$" | rex "(?ms).*Account Name:\s+(?<Account_Name>\S+)" | rex field=Message max_match=2 "Account Name: (?.+)" | eval logon=if(mvcount(logon)=2, mvindex(logon, 1), logon) | rex field=Message "Account Name\:\s+(?<ACCOUNT_NAME>.+)" | rex field=Message "Account Name:\:\s+(?<ACCOUNT_NAME>[^\r\n]+)" | rex field=Message "Account Name:\s+(?<ACCOUNT_NAME>[^\r\n]+)" | rex field=Message "Account Name:\s+(?<ACCOUNT_NAME>[^:]+)"
... View more
