Splunk Search

Help with regex to extract a field from my sample data

New Member

Need assistance with Regex to parse the user from the event below. I'm looking to get the value of a string between =/com and src_host.
user=JOHN TEST SMITH. would this be possible?

Apr 11 11:03:55 servername <159>Apr 11 11:03:09 10.19.10.83 vendor=Websense product=Security productversion=8.0.1 action=permitted severity=1 category=9 user=LDAP://ldap.test.com OU=TEST,OU=HOME,DC=test,DC=test,DC=com/JOHN TEST SMITH srchost=10.10.40.24 srcport=0 dsthost=ocsp.msocsp.com dstip=10.100.100.184 dstport=80 bytesout=347 bytesin=2555 httpresponse=0 httpmethod=GET httpcontenttype=- httpuseragent=Microsoft-CryptoAPI/6.1 httpproxystatus_code=0 reason=- disposition=1026 policy=TEST11**Default role=8 duration=0 url=http://TEST.TEST.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0Z...

0 Karma

SplunkTrust
SplunkTrust

Try this:

your search
| rex "(?msi)/(?<myuser>[\w\s]+)\s+src_host"
0 Karma

Contributor

same idea, but for people with hyphens or other special characters in the name you could try:
[^=]+
in place of [\w\s]+

0 Karma