07/20/2012 05:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4726 EventType=0 Type=Information ComputerName=DCSERVER TaskCategory=User Account Management OpCode=Info RecordNumber=17011111115 Keywords=Audit Success Message=A user account was deleted. Subject: Security ID: DOMAIN\SECID Account Name: SECID Account Domain: DOMAINNAME Logon ID: 0x6e46ffd0 Target Account: Security ID: S-3-5-21-2246893-1118314593-79235642-331713 Account Name: acctname Account Domain: DOMAIN Additional Information: Privileges -
We are able to parse the message for Account Name, but both account names are in the results:
SECID
acctname
We would like to create a field extraction to provide only the second Account Name: acctname
acctname
We would like to create a regex expression for this since the change to the prop did not work. Thank you for any help that can be given.
Attempt #3:
Part of the problem may be that there are already field extractions defined for sourcetype WinEventLog:Security. To override them, put this stanza in this location: $SPLUNK_HOME\etc\system\local\props.conf
[WinEventLog:Security]
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"
This will not eliminate other fields. If you still find that account_name
is a multi-valued field, I suggest that you use a different name, such as acct_name
, that is not already being used.
Yes, you could go ferret out where all the Windows Event Log fields are defined, and change them, but then the dashboards, etc. that are built into the Splunk for Windows app will stop working...
Attempt #3:
Part of the problem may be that there are already field extractions defined for sourcetype WinEventLog:Security. To override them, put this stanza in this location: $SPLUNK_HOME\etc\system\local\props.conf
[WinEventLog:Security]
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"
This will not eliminate other fields. If you still find that account_name
is a multi-valued field, I suggest that you use a different name, such as acct_name
, that is not already being used.
Yes, you could go ferret out where all the Windows Event Log fields are defined, and change them, but then the dashboards, etc. that are built into the Splunk for Windows app will stop working...
Hi Michael,
Assuming the first "Account Name" field in the event is SECID_account_name and the second is just account_name, the following should work:
In-line search
sourcetype=blah blah blah | rex field=_raw "Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$" | fields SECID_account_name account_name
To automate this extraction in props.conf, the entry under your stanza should be:
[yoursourcetypehere]
EXTRACT-accounts = Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$
I am pretty sure this should work -if there are always two "Account Name" fiels entries in each event.
Since my first answer didn't work, here is proposal #2
[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"
This does not use the negative look-behind, but it does assume that the Account Name will always be followed by the Account Domain.
And as sowings pointed out, the regular expression could be used in the rex command as well as in props.conf.
No i did not get two name accounts, but i got information from both instead of justs the second account name
So you did something like this:
sourcetype=WinEventLog:Security
| rex field=_raw "Account Name:\s+(?P<account_name>\S+)\s+Account Domain"
| table account_name EventCode
and you still got two account names?
Does anyone have any other suggestions because i can not get it to work??
I have still been trying to just generate a rex. It selects both of the Account Name's still. I thank you so much for your help, it just doesnt seem to work in RegExr, or the splunk rex generator.
Here are two field extractions, one for each! In props.conf
[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="(?<!SECID )Account Name: (?P<account_name>\S+)"
The second extraction uses a "negative look behind" to only match when Account Name is not preceded by SECID.
Let us know if that doesn't work...
BTW, I highly recommend the book Teach Yourself Regular Expressions in 10 Minutes by Ben Forta if you are going to be doing a lot of this sort of thing - along with a good PCRE reference book.
IT is still matching both of the account names instead of just the second one in my raw data.
The rex statement would be the same as posted above as the right hand side of "EXTRACT-e2". If that's not working from rex in a search, you'll need to adjust it until it does. Perhaps there are tabs or multiple spaces between "Name: " and the text you're trying to retrieve. Consider:
(?<!SECID )Account Name:\s+(?P<account_name>\S+)
We edited the props.conf. We are running our search and are calling WinEventLog: Security. I still can not get the results that are needed. We were wondering if this would be possible to do with just a REX. All we need is the second account name. Any help would be great. Thank you.
Thank you for your response