All Apps and Add-ons

How do I extract user field from connection events?


We recently began piping connection events into Splunk in order to track URL history for our users. However, I see the user data in the event, but it is not appearing in my event fields. I can search by string using "user=john.smith" but if I try to search user=john.smith it will not work. Any ideas on what to adjust? Thanks!alt text

alt text

0 Karma

Path Finder

Also you can make a fields extraction for your data, which were indexed
All Fields - >> Extract New Fields


0 Karma

Super Champion

If you try searching for user=john.smith then Splunk is expecting to find a field called 'user'. If you want to create a field called user at search time you can use rex...

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)"

This will create a field in that search called 'user', and in this case it will equal 'user=john.smith'.

You should be able to search all users with the search:

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)" | search user=*

There is a problem with this regex extract - user names with numbers or special characters or more then one '.' segment will not get recognized. You should review your username rules to make sure the regex captures all possible user names.

0 Karma

Splunk Employee
Splunk Employee

Hi @cm22486 - If the answer provided by @lukejadamec helped answer your question, please don't forget to resolve this post by clicking "Accept" below the answer.

If it did not resolve your question, please provide feedback by leaving a comment so that he or another user can try to help you out further. Thank you!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!