Extract username with dash (-) Field from event

miberecz · ‎11-16-2021

Hello Everyone,

I'm trying to extract usernames from the logs of a proftpd.

An event looks like this:

2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.

Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part ASD-ASDASD

How do I circumvent this? How can I extract strings that contains - ?

johnhuang · ‎11-16-2021

| makeresults
| eval _raw = "2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful."
| rex field=_raw ":\sUSER\s(?<user_id>[^:]*)"
| table user_id

ITWhisperer · ‎11-16-2021

What extraction are you currently using?

miberecz · ‎11-16-2021

It was extracted automatically, and so far I trusted it until I realized its not complete. Now I believe I need a regex the gets everything after the string USER and before the :

PickleRick · ‎11-16-2021

Extracting everything between "USER" and a colon (":") is relatively easy:

USER\s(?<username>[^:]*):

There is one caveat though. If your username contains a colon (":"), it will only capture the username up to (and without) that colon.

BTW, you could try TA for proftpd - https://github.com/jewnix/TA-proftpd

Extract username with dash (-) Field from event

field extraction

fields

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life