Dashboards & Visualizations

How do you remove varying characters from a string in a field?

newill
New Member

Hi again!

I need help with removing characters from a string. We have a tool that generates a user field that is typically domain\user. I have used replace to fix that issue because domain is static so I do replace domain* with * in user. However, sometimes the user is a local user account on a workstation and the "domain" becomes the computer name, which varies for each computer, so my previous trick won't work. How can I remove varying computer names that could be different lengths and only report the user (which could also be different lengths.

Examples

computer\user
computer1\user
computer2\user1
comp\us1

...and all I want is what is on the right side of the \

Thanks!

Tags (1)
0 Karma

anthonymelita
Contributor

Sounds like you will want to do a regex extraction. Something like

|rex field=user "(?P<User>\w+$)"

Note: I named the extracted user field with uppercase U to make it different from the originating field to avoid confusion.

0 Karma

newill
New Member

I don't understand what you just said. I have not done any regexing in my life. Is there a good guide on the rex command? The one I found for the rex command wasn't all that helpful to me.

0 Karma

anthonymelita
Contributor

I barely know regex myself.
The Splunk docs for the | rex command are http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Rex

To break down the command I wrote some.

| rex is the splunk command, you gathered that.
field=user is specifying the field name that you want to examine from your Splunk event(s). If you want to examine the whole event you can use "field=_raw"
() parentheses is a regex capture group. in this case we only have one, but it is possible to have many
?P<User> is saying the data we match should be extracted to a new Splunk field named User
\w+$ is the regular expression to match on. In this case \w is a word character + means one or more and $ means anchored from the right.

This is a very basic expression based on the little bit of info provided. It could very easily capture and extract data that you don't want it to if you were to apply it against the _raw event. That's why you want to isolate it to the specific field computer\user exists in.

For learning and practicing regex in general, there are many websites to do this on. regexr, and regex101 come to mind.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...