Re: Need calculated field in props.conf

VijaySrrie · ‎03-01-2023

Hi

I have extracted a field username and it has domain and user

username= "google\\john"
username="googleuser"
username = "admin"

I need calculated to be created in props.conf where google should go to domain and john should go to user field

This domain field will be there only in certain logs

So whatever is there before "\\" should be considered as domain and after "\\" is user
In some cases domain wont be there, for those cases username to be tagged to user field

All this should happeb at backend props.conf

domain = google

user= john
user = googleuser
user = admin

gcusello · ‎03-01-2023

Hi @VijaySrrie ,

you have to create another field extraction usig this regex

^((?<domain>\w+)\\\\)*(?<user>\w+) in user

that's the same thing to run the following command:

| rex field=user "^((?<domain>\w+)\\\\)*(?<user>\w+)"

you can test the regex at https://regex101.com/r/j6kC26/1

Ciao.

Giuseppe

How do I calculate field in props.conf?

calculated field

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?