let's suppose I have a set of the log from Windows authentication and I want to search if user field does not match a specific pattren, can we use regex to do that in splunk.
Hi @Nawab,
you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.
Could you better describe what you want to search?
Ciao.
Giuseppe
So lets suppose there is a naming convention for user names in an organization
user1=foo.baar1
user2=foo.bar2
user3=foo12
Now user convention is firstname.secondname+number
and now i want to whitelist this so this convention and alert when a user without same regex is find will trigger alert
Hi @Nawab,
you want to have as result only the third value, is it correct?
if this is your requirement, you could use the following regex:
In other words:
| makeresults | eval user="foo.baar1"
| append [ | makeresults | eval user="foo.bar2" ]
| append [ | makeresults | eval user="foo12" ]
| table _time user
| regex user!="^\w+\.\w+\d"
Ciao.
Giuseppe
Your query is working if data is created using this query.
I changed some values
now user names are
| makeresults | eval user="abc1234"
| append [ | makeresults | eval user="xyz" ]
| append [ | makeresults | eval user="abc0-abr123" ]
| table _time user
| regex user!="^\w+"
here I want to remove if the user only has letters but no number
why doesn't it works
Hi @Nawab ,
because \w means alphabetical chars, so also numbers.
In this case, you have to use the solution from @ITWhisperer .
Ciao.
Giuseppe
| regex user!="^[a-zA-Z]+$"
Thanks its working
Hi @Nawab,
you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.
Could you better describe what you want to search?
Ciao.
Giuseppe