Extracting a String using Regex

I’m wanting to pull the “Account Name: Person’s name” from the Message property under Get-Eventlog. After i pipe it i use the hash table below, but it pulls the all the property Message’s message. I tried using “\b” for boundaries but didn’t change. I am trying to learn regular expression, so not sure if I am misunderstanding the expressions meanings.

select @{n=‘Message’; e={$_.Message -replace "‘^(Account Name:.)$’,‘$1’}}

Thank you for any help

Eric,

Would you be able to attach a full example of the event log message (obfuscate any sensitive info) and the command line used to retrieve it?

Get-EventLog -LogName Security -InstanceId 4624 | select TimeGenerated, @{n=’Message’; e={$_.Message -replace “‘^(Account Name:.)$’,’$1′}} | format-list

sorry I thought you meant event cmd that i was using

Message : An account was successfully logged on.

                 Subject:
                     Security ID:        S-1-5-18
                     Account Name:        SO-PC$
                     Account Domain:        WORKGROUP
                     Logon ID:        0x3e7

                 Logon Type:            2

                 New Logon:
                     Security ID:        S-1-5-21-2415982056-31499485-2897633832-1007
                     Account Name:        Salamone
                     Account Domain:        SO-PC
                     Logon ID:        0x1ec8b42
                     Logon GUID:        {00000000-0000-0000-0000-000000000000}

                 Process Information:
                     Process ID:        0x12ec
                     Process Name:        C:\Windows\System32\winlogon.exe

                 Network Information:
                     Workstation Name:    SCOO-PC
                     Source Network Address:    127.0.0.1
                     Source Port:        0

                 Detailed Authentication Information:
                     Logon Process:        User32
                     Authentication Package:    Negotiate
                     Transited Services:    -
                     Package Name (NTLM only):    -
                     Key Length:        0

                 This event is generated when a logon session is created. It is genera.....

There’s an easier way. Use the ReplacementStrings collection instead of the message property:


Get-EventLog -LogName Security -InstanceId 4624 -Newest 1 | Select-Object -Property TimeGenerated, @{Label='UserName';Expression={$_.ReplacementStrings[1]}}

Nice Mike :slight_smile: PowerShell is soo powerful so one tend to forget the simplest of ways to use it! :slight_smile:

That worked perfectly thank you.