Item Preprocessing with Regex
Video Lecture
Description
In this lecture, I add a pre-processing step to the item that instructs the agent to read the windows failed logon events.
The regular expressions demonstrated in this video are,
| Regex | Output | Description |
|---|---|---|
| (.*) | \0 | Returns only the first line of the complete failed logon event text. |
| Account Name:\t\t(.*) | \1 | Returns the 1st occurrence of the Account Name in the log text, that created the event. |
| Account Name:(.|\n)*\tAccount Name:\t\t(.*) | \2 | Returns the 2nd occurrence of the Account name in the log that created the event. |