All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto TA user field extraction issue

jwalzerpitt
Influencer
‎03-27-2020 06:57 AM

Having an issue with trying to drop a prefix before the username field in the Palo Alto app. The username has the prefix of 'foo\' before the user name. I checked the props.conf file in the app to see the following stanza:

# Set user field
EVAL-user                            = coalesce(src_user,dest_user,"unknown")

I created a regex that I tested on regex101 which worked perfectly

,foo\\(?<user>[^,]+),

However, testing that regex in Splunk I get, "The regex '_raw=,foo(?[^,]+),' is invalid. Regex: unmatched closing parenthesis.
Any suggestions on how to get rid of the prefix and just keep the user name?

0 Karma
Reply

jwalzerpitt
Influencer
‎03-30-2020 05:25 AM

Finally figured this out. Used the following which worked:

EXTRACT-foo_user = ,foo(?:\\\\|\\)(?<user>[^,]+),
0 Karma
Reply

to4kawa
Ultra Champion
‎03-27-2020 02:50 PM

props.conf

EVAL-user = trim(coalesce(src_user,dest_user,"unknown"),"foo\\")
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...