Re: Need calculated field in props.conf

VijaySrrie · ‎03-01-2023

Hi

I have extracted a field username and it has domain and user

username= "google\\john"
username="googleuser"
username = "admin"

I need calculated to be created in props.conf where google should go to domain and john should go to user field

This domain field will be there only in certain logs

So whatever is there before "\\" should be considered as domain and after "\\" is user
In some cases domain wont be there, for those cases username to be tagged to user field

All this should happeb at backend props.conf

domain = google

user= john
user = googleuser
user = admin

gcusello · ‎03-01-2023

Hi @VijaySrrie ,

you have to create another field extraction usig this regex

^((?<domain>\w+)\\\\)*(?<user>\w+) in user

that's the same thing to run the following command:

| rex field=user "^((?<domain>\w+)\\\\)*(?<user>\w+)"

you can test the regex at https://regex101.com/r/j6kC26/1

Ciao.

Giuseppe

How do I calculate field in props.conf?

calculated field

field extraction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?