All Apps and Add-ons

Palo Alto TA user field extraction issue

jwalzerpitt
Influencer

Having an issue with trying to drop a prefix before the username field in the Palo Alto app. The username has the prefix of 'foo\' before the user name. I checked the props.conf file in the app to see the following stanza:

# Set user field
EVAL-user                            = coalesce(src_user,dest_user,"unknown")

I created a regex that I tested on regex101 which worked perfectly

,foo\\(?<user>[^,]+),

However, testing that regex in Splunk I get, "The regex '_raw=,foo(?[^,]+),' is invalid. Regex: unmatched closing parenthesis.
Any suggestions on how to get rid of the prefix and just keep the user name?

0 Karma

jwalzerpitt
Influencer

Finally figured this out. Used the following which worked:

EXTRACT-foo_user = ,foo(?:\\\\|\\)(?<user>[^,]+),
0 Karma

to4kawa
Ultra Champion

props.conf

EVAL-user = trim(coalesce(src_user,dest_user,"unknown"),"foo\\")
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...