Extractor catch next occurence


(A3 Th3 Rius) #1

I want to use regex to catch the account name on this log file

Jun 28 15:48:17 <ServerName> Microsoft-Windows-Security-Auditing [476] Failed to log in to an account. Topic: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account for which logon was unsuccessful: Security ID: S-1-0-0 Account Name: **<AccountName I want>** Account Domain: XXXXXXXX Failure Information: Reason for Failure: Unknown username or incorrect password. State: 0xC000006D Sub state: 0xC0000064

I tried this :

`(?: Account Name.:..)"?([a-zA-Z0-9.-.@._.-]{1,})...... Account Area .... ([a- zA-Z0-9 .-. @ ._.-] {1,}) ... Login ID "?`

but I can’t catch the second occurence, i get only : - from the first occurence…

If someone can help me…


(Jan Doberstein) #2

extractors catch only the FIRST group, that is one of their limitations.

That is written by the way at the UI.

First matcher group is used

You might want to switch to the processing pipelines to work around this limitation.


(A3 Th3 Rius) #3

Thanks for your answer.
I made an exctrator substring and I managed to catch the account name.

Thanks again for your help .


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.