Splunk Search

Help with regex to extract a field from my sample data

New Member

Need assistance with Regex to parse the user from the event below. I'm looking to get the value of a string between =/com and src_host.
user=JOHN TEST SMITH. would this be possible?

Apr 11 11:03:55 servername <159>Apr 11 11:03:09 vendor=Websense product=Security product_version=8.0.1 action=permitted severity=1 category=9 user=LDAP://ldap.test.com OU=TEST,OU=HOME,DC=test,DC=test,DC=com/JOHN TEST SMITH src_host= src_port=0 dst_host=ocsp.msocsp.com dst_ip= dst_port=80 bytes_out=347 bytes_in=2555 http_response=0 http_method=GET http_content_type=- http_user_agent=Microsoft-CryptoAPI/6.1 http_proxy_status_code=0 reason=- disposition=1026 policy=TEST11**Default role=8 duration=0 url=http://TEST.TEST.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0Z...

0 Karma


Try this:

your search
| rex "(?msi)/(?<myuser>[\w\s]+)\s+src_host"
0 Karma


same idea, but for people with hyphens or other special characters in the name you could try:
in place of [\w\s]+

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>