Security

algosec user login

rashid47010
Communicator

Below is the event

-f LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa

the login username is always come after "-u" how can I extract that user and map it against field.

the location of -u 00xxx is variable depend of type of event

Tags (1)
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

You could use the following regex for instance:

your base search
| rex  "\-u (?<username>\S+)"

For example:

| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"

Output:

username
----------------
00xxx

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi rashid47010,
your regex for field extraction is -u\s(?<user>[^ ]*)or rex command

| rex "-u\s(?<user>[^ ]*)"

see your example at https://regex101.com/r/GfQtmz/3
Bye.
Giuseppe

0 Karma

javiergn
SplunkTrust
SplunkTrust

@rashid47010 any reason you marked this as accepted answer and not mine?

1) This answer shouldn't even be here when mine was posted 1 hour before as it's not adding anything new and it suspiciously seems slightly different in purpose: changing \S+ with [^ ], changing a blank space with \s, come on.

2) If there is a valid answer already please either add a better one and explain why or give it the points but do not post the same answer twice.

3) @ppablo_splunk can you mediate please?

0 Karma

rashid47010
Communicator

@Javiergn, sorry for late reply, I just saw your message. actually for stated question I am using
"\S+" as you mentioned in your reply.

0 Karma

javiergn
SplunkTrust
SplunkTrust

You could use the following regex for instance:

your base search
| rex  "\-u (?<username>\S+)"

For example:

| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"

Output:

username
----------------
00xxx
0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...