Solved: Extracting users from a list

ryangillan · ‎10-18-2020

2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1', 'user2', '$template', 'user233', 'svc_user1', ]

I have this log file that outputs a list of users to be deleted.
I want to search this output and extract the users into fields then exclude the $template* & svc_users* users.

I have tried this to extract the users to field.

search "list:" | eval del_users=split(_raw,"', '") | table del_users

output looks like:

2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1

user2

$template

user233

svc_user1

Any suggestions to get a better output or how I should be doing this?

vnravikumar · ‎10-19-2020

Hi

Try this

| rex field=log max_match=0 "\[{0,}\'(?P<output>[^',]+)" 
| mvexpand output 
| table output

View solution in original post

ryangillan · ‎10-20-2020

This looks like what I need.

|search "list:" | rex field=log "\[(?<del_users>.*)\, \]" | eval users=split(_raw,"', '") | mvexpand users
|search NOT users IN ("$*templat*","svc*") | table users

vnravikumar · ‎10-19-2020

Hi

Try this

| rex field=log max_match=0 "\[{0,}\'(?P<output>[^',]+)" 
| mvexpand output 
| table output

inventsekar · ‎10-18-2020

did you check the "rex" regular expression...

| makeresults 
| eval log="2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1', 'user2', '$template', 'user233', 'svc_user1', ]" 
| rex field=log "\[(?<del_users>.*)\, \]" 
| table del_users

EDIT - verified and adding the screenshot:

Extracting users from a list

eval

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation