topic Splunk DB Connect: How to parse user name field form McAfee logs so it can support CIM? in All Apps and Add-ons https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-parse-user-name-field-form-McAfee-logs/m-p/344155#M41591 <P>Hi,</P> <P>I have McAfee logs coming in to Splunk using Splunk DB Connect application. There are total 3 fields related to user name:<BR /> 1. user<BR /> 2. source_logon_user<BR /> 3. logon_user</P> <P>and the mcafee logs tagged to malware, attack, operations and the data is being accelerated by Malware datamodel. Malware data model looks for user and user field is available in McAfee logs, but the problem is I need to consider logon_user/source_logon_user not user field, I could simply rename source_logon_user/logon_user to user to work with CIM, again the problem with logon_user/source_logon_user has username like :</P> <P>domain\username<BR /> <A href="mailto:username@domain.com" target="_blank">username@domain.com</A><BR /> username</P> <P>how to deal with the above scenarios, the reason why I would like to reformat the username field from above three scenarios to user, when we search something user=username , it will not return user=domain\username.</P> <P>please help me out, if any spelunker already faced/solved this problem. </P> Tue, 29 Sep 2020 16:34:40 GMT thambisetty 2020-09-29T16:34:40Z Splunk DB Connect: How to parse user name field form McAfee logs so it can support CIM? https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-parse-user-name-field-form-McAfee-logs/m-p/344155#M41591 <P>Hi,</P> <P>I have McAfee logs coming in to Splunk using Splunk DB Connect application. There are total 3 fields related to user name:<BR /> 1. user<BR /> 2. source_logon_user<BR /> 3. logon_user</P> <P>and the mcafee logs tagged to malware, attack, operations and the data is being accelerated by Malware datamodel. Malware data model looks for user and user field is available in McAfee logs, but the problem is I need to consider logon_user/source_logon_user not user field, I could simply rename source_logon_user/logon_user to user to work with CIM, again the problem with logon_user/source_logon_user has username like :</P> <P>domain\username<BR /> <A href="mailto:username@domain.com" target="_blank">username@domain.com</A><BR /> username</P> <P>how to deal with the above scenarios, the reason why I would like to reformat the username field from above three scenarios to user, when we search something user=username , it will not return user=domain\username.</P> <P>please help me out, if any spelunker already faced/solved this problem. </P> Tue, 29 Sep 2020 16:34:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-parse-user-name-field-form-McAfee-logs/m-p/344155#M41591 thambisetty 2020-09-29T16:34:40Z Re: Splunk DB Connect: How to parse user name field form McAfee logs so it can support CIM? https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-parse-user-name-field-form-McAfee-logs/m-p/344156#M41592 <P>By looking at the CIM doc <BR /> <A href="http://docs.splunk.com/Documentation/CIM/4.9.1/User/Malware" target="_blank">http://docs.splunk.com/Documentation/CIM/4.9.1/User/Malware</A></P> <P>you want to use "dest_nt_domain" field to extract the domain separately from the username.</P> Tue, 29 Sep 2020 16:41:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-parse-user-name-field-form-McAfee-logs/m-p/344156#M41592 mhoogcarspel_sp 2020-09-29T16:41:40Z