topic Regular Expression to Extract a username out after matching a Specific String of Characters in Splunk Search

Regular Expression to Extract a username out after matching a Specific String of Characters

zzaveri — Thu, 11 Jan 2018 16:18:50 GMT

Hi All,

I am attempting to do a field extraction using regular expression and I am having some trouble. I have the following syslog message below from a test Juniper firewall. The username I am logging in with is jdoe-2fa and I have other users that have usernames as well with "-2fa" in their username. What I am trying to do is create a regular expression that searches for -2fa but extracts the actual full username jdoe-2fa so that I can create a field called user.

Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

micahkemp — Thu, 11 Jan 2018 20:15:59 GMT

Run anywhere example:

| makeresults | eval _raw="Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)"
| rex "user (?<full_user>(?<no_2fa_user>[^\/]+?)(-2fa)?)\/"

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

mayurr98 — Thu, 11 Jan 2018 20:41:11 GMT

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

micahkemp — Thu, 11 Jan 2018 20:47:54 GMT

Actually this seems closer to what was asked for. At first I was thinking it was asked to separate the -2fa from the rest of the username, but at second glance that doesn’t appear to be the case.

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

mayurr98 — Thu, 11 Jan 2018 20:55:53 GMT

No worries happens 🙂 You are doing quite well .conf18 pass for this month is mostly yours !

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

zzaveri — Thu, 11 Jan 2018 21:02:49 GMT

I get the following message

Error in 'SearchParser': Missing a search command before '^'. Error at position '55' of search query 'search index="indexname" | rex field=_raw “user\s(?[^\/]+)” |}'.

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

mayurr98 — Thu, 11 Jan 2018 21:15:28 GMT

What query are you running?put it in 101010 sample code

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

micahkemp — Thu, 11 Jan 2018 21:21:28 GMT

Your double quotes came across wrong.

| rex field=_raw "user\s(?<user>[^\/]+)"

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

micahkemp — Thu, 11 Jan 2018 21:24:50 GMT

Hopefully we'll both get to go and enjoy some beverages!

It's basically this month or bust for me. They'll put me back to work next month, so I won't have nearly as much time to post on answers.

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

mayurr98 — Thu, 11 Jan 2018 21:35:26 GMT

Yeah I hope so all the best !

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

zzaveri — Fri, 12 Jan 2018 00:05:21 GMT

Thank you that resolved the issue.

Re: Regular Expression to Extract a username out after matching a Specific String of Characters

micahkemp — Fri, 12 Jan 2018 00:08:04 GMT

If the answer solved your issue, please accept it so the question looks resolved.