Splunk Enterprise Security

Extracting values from a field

moayadalghamdi
Path Finder

Hello Splunker

 

usernames in my environment are shown as  :

user=Company\username@AD#

 

where the # is a number

and some users are shown as:

user=Company\username$@AD#

 

the username has many variations"

  • only numbers
  • only letters
  • combination of both

 

i want to extract only the username with the other letters

 

thanks ^_^

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Something like this?

| makeresults 
| eval _raw="user=Company\\username$@AD#
user=Company\\username@AD#"
| multikv noheader=t
| fields _raw



| rex "\\\(?<username>.+?)\$?\@"

moayadalghamdi
Path Finder

sir you're a legend, thanks ^_^

 

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>