Solved: Windows Security Logs: Regex Filtering Search time

arrowsmith3 · ‎11-11-2011

I have a windows security event that I am trying to extract a custom field for failed logon events. The problem I have is there are two duplicate categories and the text I am after is in the second category:

Ex:
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: PCVS Operator
Account Domain: PCVSB681-2

Normally I would just put in rex "Account Name:(?.+)" to extract the content of this field but since there is two of them, is there a way to skip the first field and go directly to the second?

Thanks!

arrowsmith3 · ‎11-21-2011

This resolved my question, thanks goes to ziegfried.

rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?\V+)"

View solution in original post

arrowsmith3 · ‎11-21-2011

This resolved my question, thanks goes to ziegfried.

rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?\V+)"

arrowsmith3 · ‎11-21-2011

Thank you but that didnt work, when I apply that to my search string it will list the entire content of the event.

Any other suggestions?

_d_ · ‎11-11-2011

Try this:

| rex "(?ms)Account Name.*Account Name:(?<account>.+)"

Hope it helps.

> please upvote and accept answer if you find it useful - thanks!

Windows Security Logs: Regex Filtering Search time

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms