Solved: Re: Extracting information via Regex

Michael_Schyma1 · ‎10-11-2012

Subject:

    Security ID:        NULL SID

    Account Name:       -

    Account Domain:     -

    Logon ID:       0x0



Logon Type:         3



Account For Which Logon Failed:

    Security ID:        NULL SID

    Account Name:       MIF3VB0

    Account Domain:     Company

I want to be able to create a regular expression that just grabs the second Account Name In my search under the title account for which logon failed. Does anyone have any suggestions on how i would go about extracting a variable with two values set to it. I am having many problems trying to figure this out. thank you so much

Ayn · ‎10-11-2012

(?msi)Account For Which Logon Failed:.+?Account Name:\s+(\S+)

View solution in original post

Ayn · ‎10-11-2012

(?msi)Account For Which Logon Failed:.+?Account Name:\s+(\S+)

Michael_Schyma1 · ‎10-11-2012

Thank you so much, that works perfectly. I got this to work but it doesnt look as good as yours:

rex field=_raw "Account For Which Logon Failed:\W\s+\w+\W\S+\W\W+\S+\W\S+\W\s+\w+\W\w+:\W\W(?.+?)\W"

Extracting information via Regex

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?