topic Re: Field Extraction did not work in Splunk Search

Field Extraction did not work

gnshah12345 — Wed, 24 Jan 2024 19:55:19 GMT

Oct 30 06:55:08 Server1 request-default Cert x.x.x.x - John bank_user Viewer_PIP_PIP_env vu01 Appl Test [30/Oct/2023:06:54:51.849 -0400] "GET /web/appWeb/external/index.do HTTP/1.1" 200 431 7 9 8080937 x.x.x.x /junctions 25750 - "OU=00000000+CN=John bank_user Viewer_PIP_PIP_env vu01 Appl Test,OU=st,O=Bank,C=us" bfe9a8e8-7712-11ee-ab2e-0050568906b9 "x509: TLSV12: 30" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36"

I have above in the log. I have field extraction (regular expressions) to extract user and in this case "John bank_user Viewer_PIP_PIP_env vu01 Appl Test". The alert did find this user but reported the user name as "john". There are some other users, who have space in the name shows up in alert fine. How do I fix the extraction so entire user name shows up in the alert?

Re: Field Extraction did not work

burwell — Wed, 24 Jan 2024 20:17:04 GMT

Hi. Can you show what props you are currently using?

Re: Field Extraction did not work

isoutamo — Thu, 25 Jan 2024 10:02:13 GMT

as @burwell asked, what you have tried?

Here is some examples which you could also try based on your one line sample.

... | rex "^\w+ \d+ \d\d:\d\d:\d\d \w+ [\w-]+ \w+ [\w\.]+ - (?<User1>[^\[]+)" | eval User1 = rtrim(User1, " ") | rex "CN=(?<User2>[^,]+),OU" ...

r. Ismo