Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

algosec user login

rashid47010
Communicator
‎01-17-2017 01:21 AM

Below is the event

-f LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa

the login username is always come after "-u" how can I extract that user and map it against field.

the location of -u 00xxx is variable depend of type of event

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-17-2017 01:34 AM

You could use the following regex for instance:

your base search
| rex  "\-u (?<username>\S+)"

For example:

| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"

Output:

username
----------------
00xxx

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2017 02:27 AM

Hi rashid47010,
your regex for field extraction is -u\s(?<user>[^ ]*)or rex command 

| rex "-u\s(?<user>[^ ]*)"

see your example at https://regex101.com/r/GfQtmz/3
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-17-2017 06:04 AM

@rashid47010 any reason you marked this as accepted answer and not mine?

1) This answer shouldn't even be here when mine was posted 1 hour before as it's not adding anything new and it suspiciously seems slightly different in purpose: changing \S+ with [^ ], changing a blank space with \s, come on.

2) If there is a valid answer already please either add a better one and explain why or give it the points but do not post the same answer twice.

3) @ppablo_splunk can you mediate please?

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎06-25-2017 10:00 PM

@Javiergn, sorry for late reply, I just saw your message. actually for stated question I am using
"\S+" as you mentioned in your reply.

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-17-2017 01:34 AM

You could use the following regex for instance:

your base search
| rex  "\-u (?<username>\S+)"

For example:

| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"

Output:

username
----------------
00xxx
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...