Getting Data In

What is the better way of extracting user from domain in configuration

lucas4394
Path Finder

We have a Splunk TA already extract the user field (defined in transforms.conf) from the raw data; however, the user field contains the domain and the user ID, for example, domain_xyz\user_id_123. And I need to strip out the user ID so that it can be applied to the user auto-lookup. I created custom field parsing via transforms.conf and props.conf as the followings:

Fields >> Field transformations >> field_extract_user
Type: regex-based
Regular expression: (\S+\\){0,1}(?<user>.*)
Source Key: user

I created a stanza in props.conf as REPORT-field_extract_user and pointed to the transform, field_extract_user. However, it didn't work. Does anyone have any clues what I missed? Thanks.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi lucas4394,

without knowing the order those fields will be extracted it is hard to tell what the issue is. I would try the regex on _raw and also use a completely new field name like MyNewUser so it will be unique while you are testing. Once it works, disable the original user extract and modify yours so it will extract the user field from _raw.

Hope this helps ...

cheers, MuS

0 Karma

lucas4394
Path Finder

Hi MuS, this is mainly from the default Splunk Palo Alto Networks Add-on. The field transform is a delimiter-based.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!