I am working with winevent logs for failed logons (Event 4625) and I have a log that has null/blank values for Account and Domain. When I try to extract the field I can see in the IFX that it is being grabbed as what seems to be a null/blank value using my regex below. When I save the extraction all of the other fields I am extracting works but the Account and Domain field are not being assigned a value of anything and not showing up as an extracted field. My question is how do I extract a null/blank value from a log and have Splunk still recognize it as a field with a null/blank value.
The regex I am using is:
(?s)EventCode=4625.+?ComputerName=(?[^\s]+).+?Logon Type:\s+(?\d).+?Account Name:\s+(?[^\r\n]*)\sAccount Domain:\s+(?[^\r\n]*)(Failure Reason:).+?Caller Process Name:\s+(?[^\s]+).+?Workstation Name:\s+(?[^\s]+).+?Source Network Address:\s+(?[^\s]+).+?Source Port:\s+(?[^\s]+)
The log looks like this:
11/15/2019 12:36:54 PM
EventCode=4625
ComputerName=somehost
Message=An account failed to log on.
Security ID: DOMAIN\someuser
Account Name: someuser
Account Domain: DOMAIN
Logon ID: 0x0000000
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Reason: An Error occured during Logon.
Status: 0x00000000
Sub Status: 0x0
Caller Process ID: 0x0000
Caller Process Name: C:\Windows\System32\someprocess.exe
Workstation Name: somehost
Source Network Address: -
Source Port: -
↧