Splunk Search

Help with REGEX

fdevera
Path Finder

Hello, I need a regex to extract the GUID from non-standard UPN results that show up in this format: ex095838d@mydomain.onmicrosoft.com

  • First 2 characters: Will always be "ex".
  • GUID: Is the number string varying in length.
  • Last character: Will always be "d".

Other UPNs from results in the standard format of username@mydomain.onmicrosoft.com (which don't follow the above format) should remain untouched. 

  • Standard username = All letter string varying in length.

Thanks!

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @fdevera,

if you could share a sample it should be easier!

anuway, ytu something like this:

| rex "ex(?<GUID>\d+)d\@"

That you can test at https://regex101.com/r/hpaqSg/1

Ciao.

Giuseppe 

View solution in original post

fdevera
Path Finder

| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)d\@"

That worked thank you! Now I have a GUID field with the values I need. One last thing, how would I use the following search to convert that GUID into a username? In the example below, "235999" would be where the GUID value is inserted.

| ldapsearch domain=DEFAULT search="(&(objectClass=user)(exguid=235999))" | table name

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @fdevera,

if you could share a sample it should be easier!

anuway, ytu something like this:

| rex "ex(?<GUID>\d+)d\@"

That you can test at https://regex101.com/r/hpaqSg/1

Ciao.

Giuseppe 

View solution in original post