topic Re: How to match \\ in regex to extract a value from a field in my data? in Splunk Search

How to match \\ in regex to extract a value from a field in my data?

reswob4 — Mon, 26 Oct 2015 18:44:00 GMT

I have logs that have the following two formats

1. Oct 26 13:22:55 1.2.3.4 1 2015-10-26T13:22:51.480-04:00 Device.domain.tld View - 2020 [View@6876 Severity="AUDIT_SUCCESS" Module="Admin" EventType="ADMIN_USERLOGGEDIN" UserSID="xxxxxxxxxxxxxxxxx" UserDisplayName="DOMAIN\\user1"] User DOMAIN\user1 has logged in to View Administrator
2. Oct 26 12:31:39 1.2.3.4 1 2015-10-26T12:31:31.351-04:00 Host.domain.tld View - 1007 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_CONNECTED" UserSID="yyyyyyyyyyyyyyyyy" UserDisplayName="DOMAIN\\user2" DesktopId="remote_access" PoolId="remote_access" MachineId="zzzzzzzzzzzzzzzzzzzzz" MachineName="hostname" MachineDnsName="host.domain.tld"] User DOMAIN\user2 has logged in to a new session on machine hostname
3. Oct 26 12:30:52 1.2.3.4 1 2015-10-26T12:30:51.331-04:00 Device.domain.tld View - 150 [View@6876 Severity="AUDIT_FAIL" Module="Broker" EventType="BROKER_USER_AUTHFAILED_SECUREID_ACCESS_DENIED" UserDisplayName="user2"] SecurID access denied for user user2
4. Oct 26 12:31:18 1.2.3.4 1 2015-10-26T12:31:15.882-04:00 host.domain.tld View - 1003 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_PENDING" UserSID="xxxxxxxxxxxxxxxxx" UserDisplayName="DOMAIN\\user2" DesktopId="remote_access" PoolId="remote_access" MachineId="zzzzzzzzzzzzzzzzzzzzz" MachineName="hostname" MachineDnsName="host.domain.tld"] The agent running on machine hostname has accepted an allocated session for user DOMAIN\user2

I want to capture the username into a field called user. This would be the username part of the UserDisplayName field, but this shows up two different ways.

UserDisplayName="DOMAIN\\username" 
UserDisplayName="username"

Inside a regex tester, I got the following syntax to work:

UserDisplayName=".*\\(.*)"

And that gives me the right group. But when I tried converting that to splunk, I used:

rex field=_raw "UserDisplayName=.*\\\(?<user>.*)"

This gave me the following:

user: user1 has logged in to View Administrator
user: user2 has logged in to a new session on machine hostname
user:
user: user2 So anything involving \\ seems to be problematic.

I figure once I get the syntax for each variable, I can use coalesce to get one overall label. But I'm not sure how to go about this.

Suggestions?

Re: How to match \\ in regex to extract a value from a field in my data?

aljohnson_splun — Mon, 26 Oct 2015 18:51:07 GMT

You need to escape BOTH slashes with an additional backslash.

so the first escape would be \\ then the second escape would be \\:

UserDisplayName=".*\\\\(.*)"

Also, you probably want to make sure its an optional group in case the basic version shows up: https://regex101.com/r/fA4tO1/3

rex "UserDisplayName=(?:.*\\\\)?(?<username>.*)"

Re: How to match \\ in regex to extract a value from a field in my data?

reswob4 — Mon, 26 Oct 2015 19:32:59 GMT

Hmm.. Tried that and it's weird. I wonder if something is wrong with my overall config.

I get the same results if I use:

rex  "\\\(?<user>.*?) "

rex  "\\\\(?<user>.*?) "

they both give me:

user:  \username"

So I'm not sure why I'm getting the leading slash and why I'm getting the trailing quotes

I'm continuing to try different things...

Re: How to match \\ in regex to extract a value from a field in my data?

reswob4 — Mon, 26 Oct 2015 20:35:30 GMT

OK, here's what I got to work.

 rex field=_raw "UserDisplayName=(?<user>.*?) " | eval user1=rtrim(user,"]") | eval user2=trim(user1,"\"") | eval user3=ltrim(user2,"DOMAIN\\") | rename user4 AS user

this gives me:

user: username

Note: the first rex command does NOT work if you use

rex field=_raw "UserDisplayName=(?<username>.*?) "

you have to have user in there, not username or something else.

I'm marking the other answer as correct because that directly answered my question, even if it wasn't the method I used to get what I needed.

Thanks.