Splunk Search

How to extract fields (in props.conf) based on conditional regex?

Jamie
Path Finder

Hello,

My events contain strings such as:

notification that user "mydomain\bob" has
notification that user "fred" has 
notification that user "01\ralph2" has 

I'm trying to write a conditional EXTRACT in props.conf, so that the a new field 'domain' is assgined the domain name (i.e. mydomain, 01) where specified, else is assigned NULL and new field 'user' is assigned the user name (i.e. bob, fred, ralph2).

This works well enough when there is a domain and a user, but oviously not when there isn't a domain:

EXTRACT-domain_user = notification\sthat\suser\s\"(?<domain>[\w\d]+)\\(?<user>[\w\d]+)\"\shas

I'd be grateful for some assistance.

 

 

 

Labels (1)
Tags (3)
0 Karma
1 Solution

Jamie
Path Finder

I had quite a lot of trouble getting the regexes that worked in the GUI to work in props.conf, however, I finally found that this works:

EXTRACT-domain = notification that user \"(?<domain>[\w\d]+)(\\)
EXTRACT-user = notification that user \"([\w\d]+(\\))?(?<user>[\w\d]+)\"
EVAL-domain = if(isnull(domain), "localhost", domain)

I'd be grateful if someone could explain why:

- it was necessary for EXTRACT-domain in the GUI to use four backslashes.

- it was necessary for EXTRACT-domain in props.conf to only need two backslashes in a capture group.

Thank you.

 

View solution in original post

0 Karma

Jamie
Path Finder

This seems to work:

| makeresults 
| eval account="notification that user \"mydomain\bob\" has,notification that user \"fred\" has,notification that user \"01\ralph\" has"
| makemv account delim=","
| mvexpand account
| rex field=account "notification that user \"(?<domain>[\w\d]+)(\\\\)"
| rex field=account "notification that user \"(\w+\\\\)?(?<user>[\w\d]+)"
| fillnull domain value="NULL"

I might need to tweak the character elements to cater for my domain\user variants...but for now...

0 Karma

Jamie
Path Finder

I had quite a lot of trouble getting the regexes that worked in the GUI to work in props.conf, however, I finally found that this works:

EXTRACT-domain = notification that user \"(?<domain>[\w\d]+)(\\)
EXTRACT-user = notification that user \"([\w\d]+(\\))?(?<user>[\w\d]+)\"
EVAL-domain = if(isnull(domain), "localhost", domain)

I'd be grateful if someone could explain why:

- it was necessary for EXTRACT-domain in the GUI to use four backslashes.

- it was necessary for EXTRACT-domain in props.conf to only need two backslashes in a capture group.

Thank you.

 

0 Karma

Jamie
Path Finder

FYI - The two extracts could be done as follows (courtesy of a colleague):

EXTRACT-user_domain = notification that user \"(?<domain>[\w\d.]+\\)?(?<user>[^\"]+)\"

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jamie,

as I said, good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jamie,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

Jamie
Path Finder

Ciao Giuseppe,

Thank you for the suggestion.

Testing is tricky; configuration in props.conf vs the web GUI need to be implemented differently as my events have blackslashes and double quotes.  So just using the web GUI for now, I have (note how I have had to specific 4 x backslash):

| makeresults 
| eval account="notification that user mydomain\bob has,notification that user fred has,notification that user 01\ralph has"
| makemv account delim=","
| mvexpand account
| rex field=account "notification that user (?<domain>[\w\d]+)\\\\"
| fillnull domain value="NULL"

I have removed the double quotes around each domain\user and user for now as that was making things even trickier (I'll resolve that later)

This gives me the domain as per the event or NULL, which is great.  Any thoughts on how to get the user in both cases -- when there is a domain and when there isn't?  My regex attempts suck in the domain as the user.

I need something like if domain != NULL regex_to_get_user

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jamie,

you could extract the domain using a regex like the following 

| rex "notification that user \"(?<domain>\w+)\\"

and then use fillnull to give the NULL value if there isn't the domain:

| rex "notification that user \"(?<domain>\w+)\\"
| fillnull domain value="NULL"

You can also extract the domain field ad a field extraction and the NULL assign as an automatic field.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...