Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the better way of extracting user from domain in configuration

lucas4394
Path Finder
‎11-18-2019 10:30 AM

We have a Splunk TA already extract the user field (defined in transforms.conf) from the raw data; however, the user field contains the domain and the user ID, for example, domain_xyz\user_id_123. And I need to strip out the user ID so that it can be applied to the user auto-lookup. I created custom field parsing via transforms.conf and props.conf as the followings:

Fields >> Field transformations >> field_extract_user
Type: regex-based
Regular expression: (\S+\\){0,1}(?<user>.*)
Source Key: user

I created a stanza in props.conf as REPORT-field_extract_user and pointed to the transform, field_extract_user. However, it didn't work. Does anyone have any clues what I missed? Thanks.

0 Karma
Reply

MuS
Legend
‎11-18-2019 11:52 AM

Hi lucas4394,

without knowing the order those fields will be extracted it is hard to tell what the issue is. I would try the regex on _raw and also use a completely new field name like MyNewUser so it will be unique while you are testing. Once it works, disable the original user extract and modify yours so it will extract the user field from _raw.

Hope this helps ...

cheers, MuS

0 Karma
Reply

lucas4394
Path Finder
‎11-20-2019 02:41 PM

Hi MuS, this is mainly from the default Splunk Palo Alto Networks Add-on. The field transform is a delimiter-based.

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top