Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we use regex to search for word?

Nawab
Path Finder
‎06-22-2023 04:20 AM

let's suppose I have a set of the log from Windows authentication and I want to search if user field does not match a specific pattren, can we use regex to do that in splunk.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:23 AM

Hi @Nawab,

you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.

Could you better describe what you want to search?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Nawab
Path Finder
‎06-22-2023 04:38 AM

So lets suppose there is a naming convention for user names in an organization

user1=foo.baar1

user2=foo.bar2

user3=foo12

 

Now user convention is firstname.secondname+number
and now i want to whitelist this so this convention and alert when a user without same regex is find will trigger alert

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:49 AM

Hi @Nawab,

you want to have as result only the third value, is it correct?

if this is your requirement, you could use the following regex:

In other words:

| makeresults | eval user="foo.baar1"
| append [ | makeresults | eval user="foo.bar2" ]
| append [ | makeresults | eval user="foo12" ]
| table _time  user
| regex user!="^\w+\.\w+\d"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Nawab
Path Finder
‎06-22-2023 05:02 AM

Your query is working if data is created using this query.

 

I changed some values 
now user names are 

| makeresults | eval user="abc1234"
| append [ | makeresults | eval user="xyz" ]
| append [ | makeresults | eval user="abc0-abr123" ]
| table _time user
| regex user!="^\w+"

here I want to remove if the user only has letters but no number
why doesn't it works

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 06:14 AM

Hi @Nawab ,

because \w means alphabetical chars, so also numbers.

In this case, you have to use the solution from @ITWhisperer .

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2023 05:31 AM 
| regex user!="^[a-zA-Z]+$"
Reply
Solved! Jump to solution

Nawab
Path Finder
‎06-22-2023 05:33 AM

Thanks  its working 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:23 AM

Hi @Nawab,

you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.

Could you better describe what you want to search?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...