topic Re: Regex to search for word in Splunk Search

Can we use regex to search for word?

Nawab — Thu, 22 Jun 2023 17:45:45 GMT

let's suppose I have a set of the log from Windows authentication and I want to search if user field does not match a specific pattren, can we use regex to do that in splunk.

Re: Regex to search for word

gcusello — Thu, 22 Jun 2023 11:23:50 GMT

Hi @Nawab,

you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.

Could you better describe what you want to search?

Ciao.

Giuseppe

Re: Regex to search for word

Nawab — Thu, 22 Jun 2023 11:38:46 GMT

So lets suppose there is a naming convention for user names in an organization

user1=foo.baar1

user2=foo.bar2

user3=foo12

Now user convention is firstname.secondname+number
and now i want to whitelist this so this convention and alert when a user without same regex is find will trigger alert

Re: Regex to search for word

gcusello — Thu, 22 Jun 2023 11:49:27 GMT

Hi @Nawab,

you want to have as result only the third value, is it correct?

if this is your requirement, you could use the following regex:

In other words:

Ciao.

Giuseppe

Re: Regex to search for word

Nawab — Thu, 22 Jun 2023 12:02:32 GMT

Your query is working if data is created using this query.

I changed some values
now user names are

Re: Regex to search for word

ITWhisperer — Thu, 22 Jun 2023 12:31:04 GMT

| regex user!="^[a-zA-Z]+$"

Re: Regex to search for word

Nawab — Thu, 22 Jun 2023 12:33:22 GMT

Thanks its working

Re: Regex to search for word

gcusello — Thu, 22 Jun 2023 13:14:26 GMT

Hi @Nawab ,

because \w means alphabetical chars, so also numbers.

In this case, you have to use the solution from @ITWhisperer .

Ciao.

Giuseppe