Below is the sample event
01/15/2019 03:49:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4738
EventType=0
Type=Information
ComputerName=STM12R2DC003.abc.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=2309384837
Keywords=Audit Success
Message=A user account was changed.
Subject:
Security ID: COMPANY\KS3840
Account Name: KS3840
Account Domain: company
Logon ID: 0x94B1FF95
Target Account:
Security ID: COMPANY\BArandallAU8340
Account Name: BArandallAU8340
Account Domain: COMPANY
I am trying to extract the one highlighted an using the following regex which I made using regex.101.It is working in correctly in regex101 but when used the same regex it is throwing error Regex: unmatched closing parenthesis
Regex
(Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account
In Splunk
|rex field=_raw "(Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account"
output
BArandallAU8340
Without trying to modify your regex, does this help?
|rex field=_raw "((Target\sAccount\:\s+Security\sID\:\s*)COMPANY\\(?<ABC>[^ ]+)Account)"
You need to escape the parenthesis to avoid this error. You can use a backslash to do it before the parenthesis
Also, I don't see a field name for your regular expression. Try this instead, your field name will be CompanyName
COMPANY\*(?<CompanyName>\w+)
I named the field as ABC
I see it now, regardless the Regex I posted is faster with less steps and should solve your problem
I tried yours but it did not extract anything.I am trying to extract only the second account name in the event which is BArandallAU8340
Security ID: COMPANY\BArandallAU8340
Account Name: BArandallAU8340
Account Domain: COMPANY
Did you modify your original sample data? It had a * in it previously and now it doesn't which explains why it didn't capture it. I see you have a working solution, please accept the answer to close it out
i FIGURED IT OUT
Target\sAccount:\s+Security\sID:\s*COMPANY.(?\w+)
@vrmandadi can you accept the answer to close this out?