Solved: How to regex information from two lines?

packet_hunter · ‎06-08-2017

I am trying to create and add a regex stanza to Windows TA to parse out a username.
This is for event code 516 from a windows security event log.
The Windows TA does not parse out a username quite right.

The raw event writes the information on two separate lines.
...
User:
employeename@company.com
....

I started my stanza (with the help of regex101.com) but I am not having success writing a regex that matches [User: ] and then drops to the next line and copies the employee name out of the email address.

Here is my starting effort...

# Event Code 516 
[User:_as_user]
SOURCE_KEY = User:
REGEX = ???
FORMAT = ???

Please advise how it might be written. Please let me know if you need more information.

Thank you

lukas_loder · ‎06-08-2017

Hello packet_hunter

On regex101 this one works fine for me:

User:\n(?<User>.+)@

I just used your example

...
User:
employeename@company.com
....

and i get "employeename" as result. Have you tried this one?

View solution in original post

lukas_loder · ‎06-08-2017

Hello packet_hunter

On regex101 this one works fine for me:

User:\n(?<User>.+)@

I just used your example

...
User:
employeename@company.com
....

and i get "employeename" as result. Have you tried this one?

packet_hunter · ‎06-08-2017

yes this one gives just the name which is what I need.
Strange part is that when I use your regex on the entire _raw event, it does not work.
It works in the regex101 editor though...
Thanks

somesoni2 · ‎06-08-2017

See if this works for you

props.conf on your search head

[YourSourceTypeName]
EXTRACT-username = User\:([\r\n]*)(?<UserName>\S+)

Regex101 link
https://regex101.com/r/9THuiH/1

packet_hunter · ‎06-08-2017

Thank you, I will give it a try.

How to regex information from two lines?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor