Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with REGEX

fdevera
Path Finder
‎01-26-2021 09:33 AM

Hello, I need a regex to extract the GUID from non-standard UPN results that show up in this format: ex095838d@mydomain.onmicrosoft.com

  • First 2 characters: Will always be "ex".
  • GUID: Is the number string varying in length.
  • Last character: Will always be "d".

Other UPNs from results in the standard format of username@mydomain.onmicrosoft.com (which don't follow the above format) should remain untouched. 

  • Standard username = All letter string varying in length.

Thanks!

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-26-2021 09:44 AM

Hi @fdevera,

if you could share a sample it should be easier!

anuway, ytu something like this:

| rex "ex(?<GUID>\d+)d\@"

That you can test at https://regex101.com/r/hpaqSg/1

Ciao.

Giuseppe 

View solution in original post

Reply
Solved! Jump to solution

fdevera
Path Finder
‎01-26-2021 07:53 PM

| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)d\@"

That worked thank you! Now I have a GUID field with the values I need. One last thing, how would I use the following search to convert that GUID into a username? In the example below, "235999" would be where the GUID value is inserted.

| ldapsearch domain=DEFAULT search="(&(objectClass=user)(exguid=235999))" | table name

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-26-2021 09:44 AM

Hi @fdevera,

if you could share a sample it should be easier!

anuway, ytu something like this:

| rex "ex(?<GUID>\d+)d\@"

That you can test at https://regex101.com/r/hpaqSg/1

Ciao.

Giuseppe 

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...