Splunk Search

How to extract the username from a raw event?

New Member

Here is the raw event log:

Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed. Reason: No Roles
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted.

I would like to extract only the username (ex: sramachandran in this case) to a field called "UserName".

Can you please help me achieve this?

Thanks in advance.

0 Karma

SplunkTrust
SplunkTrust

Assuming the username always follows the IP address, which is in square brackets, this should do it.

]\s+(?<UserName>\w+)

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Influencer

Use rex:

| rex "(?<UserName>\w+)\(VPNUsers\)"

Smaple query:

| makeresults | eval _raw="Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted." | rex "(?<UserName>\w+)\(VPNUsers\)"
0 Karma

New Member

index="juniperindex" ("Login Failed*" OR "Primary authentication failed") is my initial query to find the results:

The outcome events look like:

Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [12.12.2.28] vinduri(VPNUsers)[] - Login failed using auth server LasVegas DC (LDAP Server). Reason: Failed

Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [14.13.8.28] rgunasek(VPNUsers)[] - Primary authentication failed for vinduri/LasVegas DC from x.y.z.a

Can you now help me?

0 Karma

Influencer

Below query should work:

index="juniperindex" ("Login Failed*" OR "Primary authentication failed") | rex "(?<UserName>\w+)\(VPNUsers\)" | table UserName
0 Karma

New Member

Yes this did the task. But i still have many other fields to be extracted with regular expression and add them to table finally.

In my next reply, can i paste another sample log file? with which we can fine tune this query more?

Thanks lot in advance.

0 Karma