topic Re: Regex help required in Splunk Search

Regex help required

SabariRajanT — Thu, 29 Apr 2021 08:01:22 GMT

Hi Team,

Can someone provide me the Regex for the below:

|search (UPN=*T@mail.eeir)

Re: Regex help required

gcusello — Thu, 29 Apr 2021 08:10:20 GMT

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

a regex to search all the events where there's the string "UPN=*T@mail.eeir",
the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

Re: Regex help required

SabariRajanT — Thu, 29 Apr 2021 08:33:57 GMT

Hi @gcusello

Thanks for your response. The main gole is to ignore the Capital "T" as shown below in the UPN

|search (UPN=*T@mail.weir).

If you could provide the Query accordingly as per regex 101 that would be great.

Thanks,

Sabari

Re: Regex help required

gcusello — Thu, 29 Apr 2021 08:38:48 GMT

Hi @SabariRajanT,

could share a sample?

Ciao.

Giuseppe

Re: Regex help required

gcusello — Thu, 29 Apr 2021 08:40:11 GMT

Hi @SabariRajanT,

ok, good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Regex help required

SabariRajanT — Thu, 29 Apr 2021 09:09:31 GMT

sample - UPN=*t@cloud.weir

Required to remove above "t" and "T".

Re: Regex help required

gcusello — Thu, 29 Apr 2021 09:14:00 GMT

Hi @SabariRajanT,

please, try this

| regex "UPN\=.*(T|t)\@mail\.eeir"

Ciao.

Giuseppe

Re: Regex help required

SabariRajanT — Thu, 29 Apr 2021 09:33:24 GMT

@gcusello

Thanks for your response.!

It doesn't work out well

When i use a Not operator like below. The "t" "T" should ignore

search NOT (UPN=*t@cloud.eeir)

Re: Regex help required

gcusello — Thu, 29 Apr 2021 09:43:58 GMT

Hi @SabariRajanT,

did you tried the search without using regex?

| search NOT (UPN=*t@cloud.eeir)

Splunk searches aren't case sensitive.

Ciao.

Giuseppe

Re: Regex help required

SabariRajanT — Thu, 29 Apr 2021 09:46:47 GMT

hi @gcusello

Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.

Re: Regex help required

gcusello — Thu, 29 Apr 2021 09:51:37 GMT

Hi @SabariRajanT,

as I said, I could help you more, if you share some sample of your data (the events not the rule!): data to take and data to exclude.

Ciao.

Giuseppe

Re: Regex help required

SabariRajanT — Thu, 29 Apr 2021 11:24:46 GMT

Hi @gcusello

Let me explain you the scenario in details:

when I query below, I get the UPN details with "T" as below.

index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir"
|table UPN

xxx.mmm@mail.eeir

yyy.Mmmm@mail.eeir

zzz.rrrr@mail.eeir

cccc.eeeeT@mail.eeir

If you see above data xxx , yyy, cccT UPN data's coming up. But I need to ignore "T" here and show the rest all UPN data like as below

xxx.mmm@mail.eeir

yyy.Mmmm@mail.eeir

zzz.rrrr@mail.eeir

cccc.eeee@mail.eeir

For the same am trying to use below query with regex command. But no luck regex is not working.

index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN

if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"

Re: Regex help required

gcusello — Thu, 29 Apr 2021 15:12:34 GMT

Hi @SabariRajanT,

please, try this regex:

| rex mode=sed field=UPN "s/(\w+\.\w+)T|t\@(.*)/\1\@\2/g"

Ciao.

Giuseppe

Re: Regex help required

SabariRajanT — Mon, 24 May 2021 14:29:23 GMT

thanks