Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we use regex to search for word?

Nawab
Communicator
‎06-22-2023 04:20 AM

let's suppose I have a set of the log from Windows authentication and I want to search if user field does not match a specific pattren, can we use regex to do that in splunk.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:23 AM

Hi @Nawab,

you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.

Could you better describe what you want to search?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Nawab
Communicator
‎06-22-2023 04:38 AM

So lets suppose there is a naming convention for user names in an organization

user1=foo.baar1

user2=foo.bar2

user3=foo12

 

Now user convention is firstname.secondname+number
and now i want to whitelist this so this convention and alert when a user without same regex is find will trigger alert

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:49 AM

Hi @Nawab,

you want to have as result only the third value, is it correct?

if this is your requirement, you could use the following regex:

In other words:

| makeresults | eval user="foo.baar1"
| append [ | makeresults | eval user="foo.bar2" ]
| append [ | makeresults | eval user="foo12" ]
| table _time  user
| regex user!="^\w+\.\w+\d"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Nawab
Communicator
‎06-22-2023 05:02 AM

Your query is working if data is created using this query.

 

I changed some values 
now user names are 

| makeresults | eval user="abc1234"
| append [ | makeresults | eval user="xyz" ]
| append [ | makeresults | eval user="abc0-abr123" ]
| table _time user
| regex user!="^\w+"

here I want to remove if the user only has letters but no number
why doesn't it works

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 06:14 AM

Hi @Nawab ,

because \w means alphabetical chars, so also numbers.

In this case, you have to use the solution from @ITWhisperer .

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2023 05:31 AM 
| regex user!="^[a-zA-Z]+$"
Reply
Solved! Jump to solution

Nawab
Communicator
‎06-22-2023 05:33 AM

Thanks  its working 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 04:23 AM

Hi @Nawab,

you can use the regex command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Regex) or, if you have to use only a word, you can use the simple search of Splunk: Splunk is a search engine.

Could you better describe what you want to search?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...