Splunk Search

Rex expression multi line with line break

jared_anderson
Path Finder

I copied the log from splunk to regex101.com. I am searching against Windows Event Viewer logs. Event Code 4722 and 4720. I am trying to create a new field. I am trying to create a new field 'enableusername' that matches Account Name only for event 4722. Writing regular a regular expression in regex101.com matches, but as soon as i use the rex command it doesn't work.

I tested creating test fields 1 line at a time. My test fields worked correctly until I got the the line break in the log. It fails once we hit the line break in the log. Line 13.

rex " EventCode=4722(\n.+\s?){8}\s\nSubject:(\n.+\s?){4}\s\n.+\n\s.+\n\sAccount Name:\s\s(?<test>.+?)\n"

04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:        company\server
    Account Name:       server
    Account Domain:     company
    Logon ID:       0x92A3188

Target Account:
    Security ID:        CASEYS\user
    Account Name:       user
    Account Domain:     domain
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

View solution in original post

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:

rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"

rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"

This has worked for my test case which I'm supplying the search for:

| makeresults 
| eval raw="04/13/2018 01:33:58 PM
 LogName=Security
 SourceName=Microsoft Windows security auditing.
 EventCode=4722
 EventType=0
 Type=Information
 ComputerName=dc.domain.local
 TaskCategory=User Account Management
 OpCode=Info
 RecordNumber=4144536958
 Keywords=Audit Success
 Message=A user account was enabled.

 Subject:
     Security ID:        company\server
     Account Name:        server
     Account Domain:        company
     Logon ID:        0x92A3188

 Target Account:
     Security ID:        CASEYS\user
     Account Name:        user
     Account Domain:        domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"

Hopefully this will get you on your way to what will work best for you.

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!