I copied the log from splunk to regex101.com. I am searching against Windows Event Viewer logs. Event Code 4722 and 4720. I am trying to create a new field. I am trying to create a new field 'enableusername' that matches Account Name only for event 4722. Writing regular a regular expression in regex101.com matches, but as soon as i use the rex command it doesn't work.
I tested creating test fields 1 line at a time. My test fields worked correctly until I got the the line break in the log. It fails once we hit the line break in the log. Line 13.
rex " EventCode=4722(\n.+\s?){8}\s\nSubject:(\n.+\s?){4}\s\n.+\n\s.+\n\sAccount Name:\s\s(?<test>.+?)\n"
04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.
Subject:
Security ID: company\server
Account Name: server
Account Domain: company
Logon ID: 0x92A3188
Target Account:
Security ID: CASEYS\user
Account Name: user
Account Domain: domain
I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:
rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"
rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"
This has worked for my test case which I'm supplying the search for:
| makeresults
| eval raw="04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.
Subject:
Security ID: company\server
Account Name: server
Account Domain: company
Logon ID: 0x92A3188
Target Account:
Security ID: CASEYS\user
Account Name: user
Account Domain: domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"
Hopefully this will get you on your way to what will work best for you.
I believe that the following two examples could work for what you want. The first will get you the first Account Name, and the second will get the last Account Name:
rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?<enableusername>.+)"
rex field=raw " EventCode=4722[\s\S]+Account Name:\s+(?<enableusername>.+)"
This has worked for my test case which I'm supplying the search for:
| makeresults
| eval raw="04/13/2018 01:33:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=dc.domain.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=4144536958
Keywords=Audit Success
Message=A user account was enabled.
Subject:
Security ID: company\server
Account Name: server
Account Domain: company
Logon ID: 0x92A3188
Target Account:
Security ID: CASEYS\user
Account Name: user
Account Domain: domain"
| rex field=raw " EventCode=4722[\s\S]+?Account Name:\s+(?< enableusername >.+)"
Hopefully this will get you on your way to what will work best for you.