Windows Logs: Ignore Spaces In Target Text?

Follow

Michael Bretzke

• October 24, 2013 13:42

Regex noob here.  I am searching through Windows Security Event Logs trying to extract values.  I have found that the regex syntax I am using only returns values when the target text does not contain a space.  How do I configure the regex syntax to grab all characters/words regardless if there is a space?

Search line:

| parse regex "Target Account Name:\s+(?<Group\_Name>\S+)+\r\n\r\n." nodrop

Examples:

Failure:

Target Account Name: Windows Vision-Group (the resulting "group_name" field is blank when the search is run)

Success:

Target Account Name: Windows-Vision-Group (the resulting "group_name" field contains "Windows-Vision-Group")

0

• 

  Rishi Divate

  • October 24, 2013 14:11

  Hi Mike, try this regex: 

  | parse regex "Target Account Name:[\s&&[^\r]]+(?<group\_name>[^\r]+?)\r"

  What you are doing here is making sure that you are capturing only those entries that have an actual group name (i.e. where the field is not blank) and then while capturing the group_name you make sure that you capture only the non-carriage return characters. Hope that helps, Rishi. 

   

  0

  Comment actions Permalink
• 

  Kumar Saurabh

  • October 24, 2013 14:21

  Another thing I would try is replacing + after the first \s by a *, because + requires at least one empty space to be there. * on the other hand will match zero or more spaces.

  0

  Comment actions Permalink
• 

  Michael Bretzke

  • October 24, 2013 15:38

  Thank you Rishi and Kumar for your suggestions.  After testing, it looks like Rishi's syntax did the trick and populated this field as expected.  Thanks!

  0

  Comment actions Permalink

Please sign in to leave a comment.