What is the better way of extracting user from dom...

lucas4394 · ‎11-18-2019

We have a Splunk TA already extract the user field (defined in transforms.conf) from the raw data; however, the user field contains the domain and the user ID, for example, domain_xyz\user_id_123. And I need to strip out the user ID so that it can be applied to the user auto-lookup. I created custom field parsing via transforms.conf and props.conf as the followings:

Fields >> Field transformations >> field_extract_user
Type: regex-based
Regular expression: (\S+\\){0,1}(?<user>.*)
Source Key: user

I created a stanza in props.conf as REPORT-field_extract_user and pointed to the transform, field_extract_user. However, it didn't work. Does anyone have any clues what I missed? Thanks.

MuS · ‎11-18-2019

Hi lucas4394,

without knowing the order those fields will be extracted it is hard to tell what the issue is. I would try the regex on _raw and also use a completely new field name like MyNewUser so it will be unique while you are testing. Once it works, disable the original user extract and modify yours so it will extract the user field from _raw.

Hope this helps ...

cheers, MuS

lucas4394 · ‎11-20-2019

Hi MuS, this is mainly from the default Splunk Palo Alto Networks Add-on. The field transform is a delimiter-based.

What is the better way of extracting user from domain in configuration

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >

What is the better way of extracting user from domain in configuration

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >