https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488566#M60134 <P>That worked perfectly. Thank you. </P> Fri, 17 Jan 2020 19:47:29 GMT Vfinney 2020-01-17T19:47:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488564#M60132 <P>We are having some issues with extracting fields from our symantec logs. While our team is working through this issue, I would like some help using regex to extract user names. </P> <P>2020-01-16 08:00:36,Critical,ASPRARWB1,Event Description: [SID: 30413] Web Attack: Passwd File Download Attempt attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2019-11-27 14:56:07,End: 2019-11-27 14:56:07,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: pxmacct,Domain: DOL,Local Port: 53937,Remote Port: 5112,CIDS Signature ID: 30413,CIDS Signature string: Web Attack: Passwd File Download Attempt,CIDS Signature SubID: 74503,Intrusion URL: <A href="http://www.arppapi.dol.ks.gov/cgi-bin/ion-p.exe?page=../../../../../etc/passwd,Intrusion">www.arppapi.dol.ks.gov/cgi-bin/ion-p.exe?page=../../../../../etc/passwd,Intrusion</A> Payload URL: ,SHA-256: 6CD7CC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5: </P> <P>2020-01-16 08:00:31,Critical,ASPRARWB1,Event Description: [SID: 20521] Web Attack: SGI InfoSearch fname Exec CVE-2000-0207 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2019-11-27 14:56:01,End: 2019-11-27 14:56:01,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: pxmacct,Domain: DOL,Local Port: 53933,Remote Port: 5112,CIDS Signature ID: 20521,CIDS Signature string: Web Attack: SGI InfoSearch fname Exec CVE-2000-0207,CIDS Signature SubID: 75437,Intrusion URL: <A href="http://www.arppapi.dol.ks.gov/cgi-bin/infosrch.cgi?cmd=getdoc&amp;db=man&amp;fname=%7C/bin/id,Intrusion">www.arppapi.dol.ks.gov/cgi-bin/infosrch.cgi?cmd=getdoc&amp;db=man&amp;fname=|/bin/id,Intrusion</A> Payload URL: ,SHA-256: 6CD7CC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5: </P> Fri, 17 Jan 2020 15:46:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488564#M60132 Vfinney 2020-01-17T15:46:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488565#M60133 <P>You can try this:</P> <PRE><CODE> | rex "User\:\s(?&lt;user&gt;[^\,]+)" </CODE></PRE> Fri, 17 Jan 2020 17:22:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488565#M60133 jscraig2006 2020-01-17T17:22:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488566#M60134 <P>That worked perfectly. Thank you. </P> Fri, 17 Jan 2020 19:47:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Regex-User-name-from-Symantec-logs/m-p/488566#M60134 Vfinney 2020-01-17T19:47:29Z