How to extract values from an event?

TB · ‎05-22-2022

Hi,

I am trying to create a table but how do I extract these information in my query? I tried double quote " " but it's just looking for exact word.

I want to list out like Subject: Account Name, then Logon Info

Subject:
	Security ID:		S-1
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		No

rmation: Logon Type: 3. I hope it makes sense. Thank you

ITWhisperer · ‎05-22-2022

| rex "Account Name:\s*(?<accountname>\S*)"
| rex "Logon Type:\s*(?<logontype>\S*)"

How to extract values from an event?

metadata