Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting values from a field

moayadalghamdi
Path Finder
‎08-02-2021 01:12 AM

Hello Splunker

 

usernames in my environment are shown as  :

user=Company\username@AD#

 

where the # is a number

and some users are shown as:

user=Company\username$@AD#

 

the username has many variations"

  • only numbers
  • only letters
  • combination of both

 

i want to extract only the username with the other letters

 

thanks ^_^

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2021 01:49 AM

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2021 01:49 AM

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"
Reply
Solved! Jump to solution

moayadalghamdi
Path Finder
‎08-02-2021 02:17 AM

sir you're a legend, thanks ^_^

 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...