topic Re: How to extract the username from a raw event? in Splunk Search

How to extract the username from a raw event?

vasuparvatham — Wed, 22 Apr 2020 16:49:22 GMT

Here is the raw event log:

Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed. Reason: No Roles
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted.

I would like to extract only the username (ex: sramachandran in this case) to a field called "UserName".

Can you please help me achieve this?

Thanks in advance.

Re: How to extract the username from a raw event?

manjunathmeti — Wed, 22 Apr 2020 17:12:53 GMT

Use rex:

| rex "(?<UserName>\w+)\(VPNUsers\)"

Smaple query:

| makeresults | eval _raw="Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted." | rex "(?<UserName>\w+)\(VPNUsers\)"

Re: How to extract the username from a raw event?

richgalloway — Wed, 22 Apr 2020 17:24:24 GMT

Assuming the username always follows the IP address, which is in square brackets, this should do it.

]\s+(?<UserName>\w+)

Re: How to extract the username from a raw event?

vasuparvatham — Thu, 23 Apr 2020 04:24:11 GMT

index="juniperindex" ("Login Failed*" OR "Primary authentication failed") is my initial query to find the results:

The outcome events look like:

Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [12.12.2.28] vinduri(VPNUsers)[] - Login failed using auth server LasVegas DC (LDAP Server). Reason: Failed

Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [14.13.8.28] rgunasek(VPNUsers)[] - Primary authentication failed for vinduri/LasVegas DC from x.y.z.a

Can you now help me?

Re: How to extract the username from a raw event?

manjunathmeti — Thu, 23 Apr 2020 07:00:43 GMT

Below query should work:

index="juniperindex" ("Login Failed*" OR "Primary authentication failed") | rex "(?<UserName>\w+)\(VPNUsers\)" | table UserName

Re: How to extract the username from a raw event?

vasuparvatham — Thu, 23 Apr 2020 16:48:45 GMT

Yes this did the task. But i still have many other fields to be extracted with regular expression and add them to table finally.

In my next reply, can i paste another sample log file? with which we can fine tune this query more?

Thanks lot in advance.