We recently began piping connection events into Splunk in order to track URL history for our users. However, I see the user data in the event, but it is not appearing in my event fields. I can search by string using "user=john.smith" but if I try to search user=john.smith it will not work. Any ideas on what to adjust? Thanks!
Also you can make a fields extraction for your data, which were indexed
All Fields - >> Extract New Fields
If you try searching for user=john.smith then Splunk is expecting to find a field called 'user'. If you want to create a field called user at search time you can use rex...
Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)"
This will create a field in that search called 'user', and in this case it will equal 'user=john.smith'.
You should be able to search all users with the search:
Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)" | search user=*
There is a problem with this regex extract - user names with numbers or special characters or more then one '.' segment will not get recognized. You should review your username rules to make sure the regex captures all possible user names.
Hi @cm22486 - If the answer provided by @lukejadamec helped answer your question, please don't forget to resolve this post by clicking "Accept" below the answer.
If it did not resolve your question, please provide feedback by leaving a comment so that he or another user can try to help you out further. Thank you!