All Apps and Add-ons

Splunk Add-on for Cisco WSA: How to extract the user from Cisco WSA logs?

Builder

Hi

From the Cisco WSA logs, I get the user information as user=ABCDEFEGH\kiran@ka.ABCDEFEGH.com.

What should I use in props.conf to extract the user by removing

ABCDEFEGH\ 

and

@ka.ABCDEFEGH.com 

at indexing time?

0 Karma

Builder

Try this:

EXTRACT-username = user=[^\\]+\\(?<username>[^@]+)@
0 Karma

Builder

Hi Sk314, Thanks for the response, I tried its not working.

0 Karma

Builder

can you paste your entry in props.conf here? Does this work in search

<your index and sourcetype> | rex field=_raw "user=[^\\]+\\(?<username>[^@]+)@" | table username
0 Karma

Builder

[cisco:wsa:squid]
EXTRACT-username = cs_username=[^\]+\(?[^@]+)@

When I run search i got error

Error in 'rex' command: Encountered the following error while compiling the regex 'user=[^]+(?[^@]+)@': Regex: unmatched parentheses

0 Karma

Builder

Try this instead:

<your index and sourcetype> | rex field=_raw "user=[^\\\]+\\\(?<username>[^@]+)@" | table username
0 Karma

Builder

Its working, But not for all users

0 Karma

Builder

Can you specify where it fails? I just saw that you use cs_username in your props? You might be better off using Splunk's field extractor instead.
Reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma