Parsing Windows Event Logs

Comments

3 comments

  • Avatar
    Rishi Divate

    Hi Kevin,

    Here's the parse statement you can use to extract both usernames:

    parse regex "Subject:[\s\S]+?Account Name:[\s&&[^\r]]+(?<src_user>[^\r]+?)\r[\s\S]+?Account Name:[\s&&[^\r]]+(?<dest_user>[^\r\"]+?)(?:\r|\";)"

    The [\s\S] expression indicates all whitespace and non-whitespace (including newlines) characters.  The [\s&&[^\r]] expression indicates whitespace characters that are not carriage return characters.. The [^\r\"] expression indicates any character that is not a carriage return on double quotes.

    Hope that helps,

    Thanks,

    Rishi.

    1
    Comment actions Permalink
  • Avatar
    Kevin Francis

    AWESOME!!! Thanks Rashi!!! A perfect regex and a great explaination of how the regex works... Just want I wanted!

    Works prefectly!

    0
    Comment actions Permalink
  • Avatar
    Roger Bautista

    I am so glad to come across this post! I was having the same exact issue. Thank you for the query and explanation Rishi!

    0
    Comment actions Permalink

Please sign in to leave a comment.