Splunk Search

How to extract fields (in props.conf) based on conditional regex?

Jamie
Path Finder

Hello,

My events contain strings such as:

notification that user "mydomain\bob" has
notification that user "fred" has 
notification that user "01\ralph2" has 

I'm trying to write a conditional EXTRACT in props.conf, so that the a new field 'domain' is assgined the domain name (i.e. mydomain, 01) where specified, else is assigned NULL and new field 'user' is assigned the user name (i.e. bob, fred, ralph2).

This works well enough when there is a domain and a user, but oviously not when there isn't a domain:

EXTRACT-domain_user = notification\sthat\suser\s\"(?<domain>[\w\d]+)\\(?<user>[\w\d]+)\"\shas

I'd be grateful for some assistance.

 

 

 

Labels (1)
Tags (3)
0 Karma
1 Solution

Jamie
Path Finder

I had quite a lot of trouble getting the regexes that worked in the GUI to work in props.conf, however, I finally found that this works:

EXTRACT-domain = notification that user \"(?<domain>[\w\d]+)(\\)
EXTRACT-user = notification that user \"([\w\d]+(\\))?(?<user>[\w\d]+)\"
EVAL-domain = if(isnull(domain), "localhost", domain)

I'd be grateful if someone could explain why:

- it was necessary for EXTRACT-domain in the GUI to use four backslashes.

- it was necessary for EXTRACT-domain in props.conf to only need two backslashes in a capture group.

Thank you.

 

View solution in original post

0 Karma

Jamie
Path Finder

This seems to work:

| makeresults 
| eval account="notification that user \"mydomain\bob\" has,notification that user \"fred\" has,notification that user \"01\ralph\" has"
| makemv account delim=","
| mvexpand account
| rex field=account "notification that user \"(?<domain>[\w\d]+)(\\\\)"
| rex field=account "notification that user \"(\w+\\\\)?(?<user>[\w\d]+)"
| fillnull domain value="NULL"

I might need to tweak the character elements to cater for my domain\user variants...but for now...

0 Karma

Jamie
Path Finder

I had quite a lot of trouble getting the regexes that worked in the GUI to work in props.conf, however, I finally found that this works:

EXTRACT-domain = notification that user \"(?<domain>[\w\d]+)(\\)
EXTRACT-user = notification that user \"([\w\d]+(\\))?(?<user>[\w\d]+)\"
EVAL-domain = if(isnull(domain), "localhost", domain)

I'd be grateful if someone could explain why:

- it was necessary for EXTRACT-domain in the GUI to use four backslashes.

- it was necessary for EXTRACT-domain in props.conf to only need two backslashes in a capture group.

Thank you.

 

0 Karma

Jamie
Path Finder

FYI - The two extracts could be done as follows (courtesy of a colleague):

EXTRACT-user_domain = notification that user \"(?<domain>[\w\d.]+\\)?(?<user>[^\"]+)\"

 

0 Karma

gcusello
Esteemed Legend

Hi @Jamie,

as I said, good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

 

0 Karma

gcusello
Esteemed Legend

Hi @Jamie,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

Jamie
Path Finder

Ciao Giuseppe,

Thank you for the suggestion.

Testing is tricky; configuration in props.conf vs the web GUI need to be implemented differently as my events have blackslashes and double quotes.  So just using the web GUI for now, I have (note how I have had to specific 4 x backslash):

| makeresults 
| eval account="notification that user mydomain\bob has,notification that user fred has,notification that user 01\ralph has"
| makemv account delim=","
| mvexpand account
| rex field=account "notification that user (?<domain>[\w\d]+)\\\\"
| fillnull domain value="NULL"

I have removed the double quotes around each domain\user and user for now as that was making things even trickier (I'll resolve that later)

This gives me the domain as per the event or NULL, which is great.  Any thoughts on how to get the user in both cases -- when there is a domain and when there isn't?  My regex attempts suck in the domain as the user.

I need something like if domain != NULL regex_to_get_user

0 Karma

gcusello
Esteemed Legend

Hi @Jamie,

you could extract the domain using a regex like the following 

| rex "notification that user \"(?<domain>\w+)\\"

and then use fillnull to give the NULL value if there isn't the domain:

| rex "notification that user \"(?<domain>\w+)\\"
| fillnull domain value="NULL"

You can also extract the domain field ad a field extraction and the NULL assign as an automatic field.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...