I am trying to create a search that returns only those events that have a specific username (or part of a username) in the Account Name field under Target Account. I have zero experience with regular expressions, but based on some other posts I was able to put together a regex that seems to locate the appropriate field (which I tested on regex101.com). However, I can't seem to get the search to work - I've tried three different variations, and all error out. One final note, I'm using "like" because in the final iteration of the search, I'll be looking for any username that contains a specific suffix, not just one specific account. Appreciate the help.
WORKING REGEX
(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)
SAMPLE EVENT
6/25/2018 01:07:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4723
EventType=0
Type=Information
ComputerName=SERVER.TRX.COM
TaskCategory=User Account Management
OpCode=Info
RecordNumber=329720657
Keywords=Audit Success
Message=An attempt was made to change an account's password.
Subject:
Security ID: TRX\jsmith
Account Name: jsmith
Account TRX: TRX
Logon ID: 0x6368FECE
Target Account:
Security ID: TRX\jsmith
Account Name: jsmith
Account TRX: TRX
Additional Information:
Privileges
SEARCH THAT WORKS (But does not use the regular expression)
EventCode=4723 OR EventCode=4724 | where like (Account_Name,"jsmith")
REGEX SEARCHES TRIED
EventCode=4723 OR EventCode=4724 | where like ((regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = "(?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)"),"jsmith")
EventCode=4723 OR EventCode=4724 | where like ((regex = (?ms)Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)),"jsmith")
Try this:
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex
... root search ... | regex AccountName=“Regex”
Or even this
... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith
You don't need to use the regex command if the field extract already exists:
root search jsmith OR AccountName=jsmith
These look like winEventLog:Security. You should look into using the Splunk TA for windows and the out of the box sourcetypes that come with it to handle this type of data. Then your extractions will work automatically rather than having to write your own.
In terms of running an inline regex what @jkat54 said is correct, just run your base search followed by ... | regex "(?ms)Target Account:.*Security ID:.*Account Name:\s+jsmith"
Thanks. That worked and I'll also look into TA for Windows. Appreciate the help.
Try this:
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Regex
... root search ... | regex AccountName=“Regex”
Or even this
... root search ... | rex “Target Account:.*Security ID:.*Account Name:\s+(?<Account_Name>[^ ]*)” | where Account_Name=jsmith