Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to extract the value of a field which occurs twice in one event. Regex maybe?

rob_gibson
Path Finder
‎05-18-2017 11:29 AM

I am hopeful someone has a suggestion for this reporting issue.

I have an event generated by Microsoft SQL Audit, which is being written to the Windows:Security log on the forwarder. I need to create a search string which captures the value of the 2nd "Account_Name" field, containing the value "userid". However, "Account_Name" field appears twice in each record. As the field name is not unique, my table is showing the value of both fields concatenated into one string.

Source Data Sample;
Subject:
Account Name: hostname1$
New Logon:
Account Name: userid

Table results displayed for "Account_Name";
hostname1$
userid

The following is sample event data (scrubbed);
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=hostname1.network.com
TaskCategory=Logon
OpCode=Info
RecordNumber=559165
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: hostname1$
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 10

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-606747145-790525478-839522115-29674
Account Name: userid
Account Domain: MySubDomain
Logon ID: 0x16ABZ9093
Logon GUID: {00000000-0000-0000-0000-000000000000}

Tags (2)
0 Karma
Reply

scottrunyon
Contributor
‎05-18-2017 01:00 PM

Rob,

You can set a the query using the "rex" command and then mvindex using "eval".

Something like this -

| rex field=_raw max_match=5 "Account Name:\s+(?\w+\$?)"
| eval Wanted_ID=mvindex(Account_Name,1)

Note – The “1” in the mvindex returns the second instance of “Account Name”, count starts at 0.

Hope this helps,

Scott

Reply

rob_gibson
Path Finder
‎05-24-2017 07:47 AM

Thanks Scott,

I'm getting errors trying to add this to my search. I think I'm missing something.
Error in 'rex' command: Encountered the following error while compiling the regex 'Account Name:\s+(?\w+\$?)': Regex: unrecognized character after (? or (?-

In your example is 'Account Name: a reference to my existing duplicate field, and Wanted_ID is a new name for the extracted field value?

0 Karma
Reply

rob_gibson
Path Finder
‎05-24-2017 07:52 AM

Hey I got it to work!

I left out the rex command and just used | eval Account_Name=mvindex(Account_Name,1) | in order to extract the second occurrence of the Account_Name field.

Many thanks Scott!!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...