Solved: Generating a RegEx/ prop change doesnt work

Michael_Schyma1 · ‎07-20-2012

07/20/2012 05:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4726 EventType=0 Type=Information ComputerName=DCSERVER TaskCategory=User Account Management OpCode=Info RecordNumber=17011111115 Keywords=Audit Success Message=A user account was deleted. Subject: Security ID: DOMAIN\SECID Account Name: SECID Account Domain: DOMAINNAME Logon ID: 0x6e46ffd0 Target Account: Security ID: S-3-5-21-2246893-1118314593-79235642-331713 Account Name: acctname Account Domain: DOMAIN Additional Information: Privileges -

We are able to parse the message for Account Name, but both account names are in the results:

SECID
acctname

We would like to create a field extraction to provide only the second Account Name: acctname

acctname

We would like to create a regex expression for this since the change to the prop did not work. Thank you for any help that can be given.

lguinn2 · ‎07-24-2012

Attempt #3:

Part of the problem may be that there are already field extractions defined for sourcetype WinEventLog:Security. To override them, put this stanza in this location: $SPLUNK_HOME\etc\system\local\props.conf

[WinEventLog:Security]
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"

This will not eliminate other fields. If you still find that account_name is a multi-valued field, I suggest that you use a different name, such as acct_name, that is not already being used.

Yes, you could go ferret out where all the Windows Event Log fields are defined, and change them, but then the dashboards, etc. that are built into the Splunk for Windows app will stop working...

View solution in original post

lguinn2 · ‎07-24-2012

Attempt #3:

Part of the problem may be that there are already field extractions defined for sourcetype WinEventLog:Security. To override them, put this stanza in this location: $SPLUNK_HOME\etc\system\local\props.conf

[WinEventLog:Security]
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"

This will not eliminate other fields. If you still find that account_name is a multi-valued field, I suggest that you use a different name, such as acct_name, that is not already being used.

Yes, you could go ferret out where all the Windows Event Log fields are defined, and change them, but then the dashboards, etc. that are built into the Splunk for Windows app will stop working...

Gilberto_Castil · ‎07-24-2012

Hi Michael,

Assuming the first "Account Name" field in the event is SECID_account_name and the second is just account_name, the following should work:

In-line search

sourcetype=blah blah blah | rex field=_raw "Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$" | fields SECID_account_name account_name

To automate this extraction in props.conf, the entry under your stanza should be:

[yoursourcetypehere]
EXTRACT-accounts = Account\s+Name\:\s+(?<SECID_account_name>\w+).+?Account\s+Name\:\s+(?<account_name>\w+).+?$

I am pretty sure this should work -if there are always two "Account Name" fiels entries in each event.

lguinn2 · ‎07-24-2012

Since my first answer didn't work, here is proposal #2

[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="Account Name:\s+(?P<account_name>\S+)\s+Account Domain"

This does not use the negative look-behind, but it does assume that the Account Name will always be followed by the Account Domain.

And as sowings pointed out, the regular expression could be used in the rex command as well as in props.conf.

Michael_Schyma1 · ‎07-24-2012

No i did not get two name accounts, but i got information from both instead of justs the second account name

lguinn2 · ‎07-24-2012

So you did something like this:

sourcetype=WinEventLog:Security | rex field=_raw "Account Name:\s+(?P<account_name>\S+)\s+Account Domain" | table account_name EventCode

and you still got two account names?

Michael_Schyma1 · ‎07-24-2012

Does anyone have any other suggestions because i can not get it to work??

Michael_Schyma1 · ‎07-24-2012

I have still been trying to just generate a rex. It selects both of the Account Name's still. I thank you so much for your help, it just doesnt seem to work in RegExr, or the splunk rex generator.

lguinn2 · ‎07-20-2012

Here are two field extractions, one for each! In props.conf

[yoursourcetypehere]
EXTRACT-e1="SECID Account Name: (?P<SECID_account_name>\S+)"
EXTRACT-e2="(?<!SECID )Account Name: (?P<account_name>\S+)"

The second extraction uses a "negative look behind" to only match when Account Name is not preceded by SECID.
Let us know if that doesn't work...

BTW, I highly recommend the book Teach Yourself Regular Expressions in 10 Minutes by Ben Forta if you are going to be doing a lot of this sort of thing - along with a good PCRE reference book.

Michael_Schyma1 · ‎07-23-2012

IT is still matching both of the account names instead of just the second one in my raw data.

sowings · ‎07-23-2012

The rex statement would be the same as posted above as the right hand side of "EXTRACT-e2". If that's not working from rex in a search, you'll need to adjust it until it does. Perhaps there are tabs or multiple spaces between "Name: " and the text you're trying to retrieve. Consider:

(?<!SECID )Account Name:\s+(?P<account_name>\S+)

Michael_Schyma1 · ‎07-23-2012

We edited the props.conf. We are running our search and are calling WinEventLog: Security. I still can not get the results that are needed. We were wondering if this would be possible to do with just a REX. All we need is the second account name. Any help would be great. Thank you.

Michael_Schyma1 · ‎07-23-2012

Thank you for your response

Generating a RegEx/ prop change doesnt work

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!