Hello
I am trying to extract the username from windows security event logs. It seems that there are 2 account name fields and I'm trying to extract the second.
04/14/2016 02:15:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=X
EventType=X
Type=X
ComputerName=X
TaskCategory=X
OpCode=X
RecordNumber=X
Keywords=Audit Success
Message=A user account was locked out.
Subject:
Security ID: X
Account Name: Domain Controller
Account Domain: X
Logon ID: X
Account That Was Locked Out:
Security ID: X\me
Account Name: me
I am trying to extract the 2nd Account_Name field( this example I set the field value to me)
Any thoughts on how I could accomplish this? The value will almost certainly be different for the field as it changes often.
What I had was:
rex field=_raw ""Account Name:\s*(?"user"(\w.*))"" (had to use quotes around user as the <> made the value not appear in the text)
But of course that extracts BOTH Account Name fields.
Thanks for any pointers, the help is appreciated!
Something like this might work:
| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"
Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".
| eval subject_account=mvindex(Account_Name, 0) | eval target_account=mvindex(Account_Name, 1) |
Give this a try (takes the last Account Name appeared in the event)
| rex "([\S*\s*]*[\r|\n])*\s*Account Name\:\s+(?<user>.*)[\r|\n]*"
Couldn't get this one to work
Ok. Give this as try as well
... | rex "Account Name:.*([\r\n])*Account Name\:\s+(?<user>.*)[\r|\n]*""
Try this,
... | rex field=_raw max_match=100**** ""Account Name:\s*(?"user"(\w.*))""
max_match property gives you to extract the multi values with same regular expression. you can specify your number here i've used 100 matches, you can change it based on your use case.
Read this document for more info,
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Rex
Thanks,
V
Yes this worked as well BUT with the caveat that it includes BOTH Account Names
Something like this might work:
| rex "Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"
Basically you are telling it to look for the line before the 2nd Account Name (Security ID) and then start capturing on the line following it after the words "Account Name".
Unfortunately both Account Name fields are preceded by Security ID fields
| eval subject_account=mvindex(Account_Name, 0) | eval target_account=mvindex(Account_Name, 1) |
Just add another line then to give it more context... i.e.
| rex "Account That Was Locked Out\: \S*[\r|\n]Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"
You can also add what should be expected after the field extraction too.
That is what I did, thanks!
Can you choose Accept Answer please?
Also, out of curiosity, what happens if you use the interactive field extractor in Splunk Web?
Do you not have the Windows TA installed? What event code are you seeing this? In my experience the TA extracts each account name as different (Src and Dest user) so I am not sure where/why you wouldn't be seeing such a case if the TA is installed.
the specific event code Im looking at is: EventCode=4740
Do you mean: Splunk_TA_windows, if so, yes its installed and deployed but there are no fields named (Src and Dest user)
Looking through the TA's Props.conf and transforms.conf now and those fields do have their regex written for them. You installed the Splunk_TA_windows on the search heads? -- Presumably, I'd rather get the TA fixed than have a custom REGEX that only solves one field over all of the fields. Do you have any custom parsers written at the private, app or global level for Windows events? That would be the #1 reason why the TA no longer parses the data.
So it seems there was an override. I put in the field extraction from above as a temp fix but you are also correct. I will correct this at the source ASAP