Sorry but for me this question makes no sense. What characters should i put in that regex? Please help 
Modify the last Splunk search in this section by replacing the two hidden characters (XX) to align the results with those shown in the screenshot. Enter the correct characters as your answer.
index=main earliest=1690623888 latest=1690623890 EventCode=4742
| rex field=Message "(?P<gcspn>XX\/[a-zA-Z0-9\.\-\/]+)"
| table _time, ComputerName, Security_ID, Account_Name, user, gcspn
| search gcspn=*
I tackled this one by just searching with the first line of the given query and then analyzed the “Message” field to find the answer. PM if you need a nudge.
I on the same page here, I know the word is HOST but
Correct, just skip the | rex, table search etc. tabs and study the “message” field. There are two letters to be found to match followed by the hostname. The answer format is XX.
When looking at the hostname in the Message field, notice how parts of the hostname are repeated. If there aren’t parts repeated, that’s not it
Pls I manage to get the correct xx that output the details in screenshot it’s even list just XX in the hostname just as the way the screenshot cover the xx, but when I input it I got incorrect answers it’s their additional thing to add or it’s just the two character that’s my question
Pls someone should help me I have try all I ca I don’t knw if the prob it’s with the answer format have gotten a characters the hostname that could output the result just as in the screenshot of explanatory section yet it’s showing incorrect when I submit.
Don’t remember how to get the answer, but most likely with following the instructions.
Answer starts with G
Thanks a lot, to be honest you can’t find this on the message field, just view event and analyse it focus should be on SPNs