Splunk Enterprise Security

Extracting values from a field

moayadalghamdi
Path Finder

Hello Splunker

 

usernames in my environment are shown as  :

user=Company\username@AD#

 

where the # is a number

and some users are shown as:

user=Company\username$@AD#

 

the username has many variations"

  • only numbers
  • only letters
  • combination of both

 

i want to extract only the username with the other letters

 

thanks ^_^

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"

moayadalghamdi
Path Finder

sir you're a legend, thanks ^_^

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...