Re: Advise a rex for domain\username example wind...

LintuMathews · ‎04-09-2015

can you please advise a rex for domain\username example windows\mathews

Below is sample of event I am trying to extract

http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00

somesoni2 · ‎04-09-2015

Give this a try

Updated

your base search | rex field=yourfieldname  "windows\\\\(?<UserName>\w+)"

Runanywhere sample search

| gentimes start=-1 | eval temp="http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00" | table temp | rex field=temp "windows\\\\(?<UserName>\w+)"

LintuMathews · ‎04-09-2015

Didn't work out, the domain name here "windows`mathews`" where "windows" is like a static domain name i have in all the logs meaning I dont have anyother domains except "windows", I just want to grab the username out of it

somesoni2 · ‎04-10-2015

try the updated query

Skippy · ‎04-10-2015

That will work if your usernames only ever contain a-z 0-9 or _

This one will match any character up to a \

your base search | rex field=yourfieldname "windows\\(?.+?)\"

LintuMathews · ‎04-10-2015

I was hoping something like this would work, this was generated through the erex , but needs some adjustments i guess

rex "(?i)windows\(?P[^\]+)"

Advise a rex for domain\username example windows\mathews

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Advise a rex for domain\username example windows\mathews

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability