We have some Websense proxy logs which are being parsed by the Splunk Add-on for Websense (https://splunkbase.splunk.com/app/2966/), however, the "user" field contains the complete LDAP string of Server, OUs, DCs, making it difficult to correlate against other indexes and user activity.

Example log event:

Sep 26 04:40:19 10.100.100.101 Sep 26 13:40:21 10.100.100.101 vendor=Websense product=Security product_version=7.8.3 action=permitted severity=1 category=101 user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss) src_host=10.10.10.10 src_port=0 dst_host=m.velocity.ebay.com dst_ip=66.211.187.41 dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=- role=0 duration=0 url=http://m.velocity.ebay.com/clink/6d2f83c8f1d4cb3ed6aeda50d3561e2cd

We are only getting the LDAP protocol and servername, due to the spaces in the user field:

user=LDAP://10.100.100.100

We need this:

user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss)

to be this:

user=Fred Flinstone (Boss)

This search works perfectly, but we need to make it permanent at index time:

index=proxy sourcetype=websense:cg:kv | rex "user=.*DC=.*\/(?<user>.*?)\s+src_host"

We've also updated the props and transforms to make this permanent, however it does not extract the values from the user field.

props.conf

TRANSFORMS-get_usernames = get_usernames 

transforms.conf

[get_usernames]
REGEX = user=.*DC=.*\/(.*?)\s+src_host
FORMAT = user::$1

I've tried a few similar Websense suggestions from the Answers site, however, they've haven't produced the results we need.