topic Re: Reg - username extraction in Splunk Search

Reg - How do I extract username?

Sasti — Fri, 03 Jun 2022 22:01:07 GMT

Hi All,

I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParameters\": {\"userName\": <username>)

Re: Reg - username extraction

PickleRick — Fri, 03 Jun 2022 06:22:27 GMT

What have you tried so far and what's the result?

Re: Reg - username extraction

Sasti — Fri, 03 Jun 2022 06:40:15 GMT

So I tried some regex likes(rex field=_raw "requestParameters\:(?P<userName>(.*))\=", rex field=_raw "requestParameters\: userName:\s(?<user>[^\/]+)", rex field=_raw "requestParameters":\s{\"userName"\:[a-zA-Z]+(?=+(?:"}" ) and the result is nothing it's not fetching the username.

Re: Reg - username extraction

gcusello — Fri, 03 Jun 2022 07:02:09 GMT

Hi @Sasti,

this log seems to be a json, did you tried to use the "INDEXED_EXTRACTIONS = JSON" option in props.conf?

or did you tried to use the "spath" command in search?

Anyway, if you want to use a regex, lete me understand, does you log contain?

\"requestParameters\": {\"userName\": <username>

"requestParameters": {"userName": <username>

in other words: in your logs are there slashes before quotes or not?

if yes, you could use a regex like this:

| rex "\\\"requestParameters\\\": \{\\\"userName\\\": \<(?<username>[^\>]*)"

if it doesn't run, please try this:

| rex "\\\\"requestParameters\\\\": \{\\\\"userName\\\\": \<(?<username>[^\>]*)"

If instead you don't have backslashes before quotes (as I suppose), please try this:

| rex "\"requestParameters\": \{\"userName\": \<(?<username>[^\>]*)"

If you could share a full logs I could be more sure

Ciao.

Giuseppe

Re: Reg - username extraction

Sasti — Fri, 03 Jun 2022 09:48:47 GMT

Yeah, the log is JSON type, Thanks for your support I'll try this out with your examples and let you know if those work, or else I'll try to send the full logs.

Re: Reg - username extraction

Sasti — Fri, 03 Jun 2022 10:00:39 GMT

Hi @gcusello

Thanks dude, now I can able to extract the username. let's have fun and enjoy.

Re: Reg - username extraction

gcusello — Fri, 03 Jun 2022 10:09:17 GMT

Hi @Sasti,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉