Re: Regex to find Account_Name's that end in a $ a...

benbabich · ‎10-12-2017

I want to find all names in Account_Name that end with a $ and not ones that don't. IE: I want NAME1$ but not NAME2.
I've been trying regex Account_Name=".*\$" but am still getting NAME2.
Any ideas?

agarrison · ‎10-13-2017

You could try something like this Account_Name=\w+\$ to match account names that are letters, or something like Account_Name=.+\$ if your accounts have other characters.

For reference here is a transform I have that finds account names that match the computer name with a $ at the end and drop those events, I usually don't care about all the spam events from local accounts on the computer itself.

[ignorelocalaccount]
REGEX=(?msi)EventCode=(?:4624|4634).+^ComputerName=(\w+).+\s+Account\sName:\s+(\1\$)
DEST_KEY=queue
FORMAT=nullQueue

richgalloway · ‎10-12-2017

Does the answer have to be regex? Have you tried ... | where Account_Name="*$" | ... ?

---
If this reply helps you, Karma would be appreciated.

benbabich · ‎10-13-2017

I really wanted that to work. But where ".\$" in Regex still gives me names not ending in $, | where Account_Name="$" | gives me zero results.
I'll play around with it and see though.

nickhills · ‎10-13-2017

... user="*$"|table user

Works for me, but perhaps I have misunderstood exactly what you are asking!

...|rex field=user "(?<userDollar>.+\$)"|table user userDollar

also works, and creates a new field which will only include usernames ending with $

If my comment helps, please give it a thumbs up!

Regex to find Account_Name's that end in a $ and \ isn't stopping it's special char nature

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases