Solved: Getting text from raw event with regex

g_paternicola · ‎09-13-2021

Hi everyone,

I'm trying to get a simple text from a raw event, but I can't make it works.

The event looks like this:

and my regex looks like this:

| rex field=_raw "Allow\s(?<GroupName>\w.+)\s+Enroll"

my issue is, that I only going to get a few of those groups, but not all... for example I will get the Domain Users but not the Enterprise Users which is in the same raw file...

Could please someone help me with this regex?

richgalloway · ‎09-13-2021

It's not clear to me what the problem is, but I think the rex command is not extracting all instances of the "Allow" field. If so, then the max_match option should help.

| rex field=_raw max_match=0 "Allow\s(?<GroupName>\w.+)\s+Enroll"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-13-2021

It's not clear to me what the problem is, but I think the rex command is not extracting all instances of the "Allow" field. If so, then the max_match option should help.

| rex field=_raw max_match=0 "Allow\s(?<GroupName>\w.+)\s+Enroll"

---
If this reply helps you, Karma would be appreciated.

Getting text from raw event with regex

field extraction

regex

rex

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...