Solved: How to search for only select users based on a reg...

LizAndy123 · ‎05-16-2024

So I have the following setup and everything is good but I want to kind of do a subsearch

In the Event - Sample

User-ABCDEF assigned Role-'READ' on Project-1234 to GHIJKL

Current SPL

index="xxxx" "role-'WRITE'" OR "role-'READ'"
| rex "User-(?<userid>[^,]*)"
| rex "(?<resource>\w+)$"
| eval userid=upper(userid)
| stats c as Count latest(_time) as _time by userid

I get an output as this

ABCDEF ASSIGNED ROLE-'READ' ON PROJECT-1234 TO GHIJKL

What I want is to search on just the GHIJKL after it extracts or should I just put it at the front so it only fetches that?

richgalloway · ‎05-16-2024

To search on the resource field, use the where command.

index="xxxx" "role-'WRITE'" OR "role-'READ'"
| rex "User-(?<userid>[^,]*)"
| rex "(?<resource>\w+)$"
| where resource="GHIJKL"
| eval userid=upper(userid)
| stats c as Count latest(_time) as _time by userid

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ITWhisperer · ‎05-17-2024

Your sample event doesn't appear to have a comma terminating the user id so perhaps use this rex to extract it?

| rex "User-(?<userid>[^, ]*)"

richgalloway · ‎05-16-2024

To search on the resource field, use the where command.

index="xxxx" "role-'WRITE'" OR "role-'READ'"
| rex "User-(?<userid>[^,]*)"
| rex "(?<resource>\w+)$"
| where resource="GHIJKL"
| eval userid=upper(userid)
| stats c as Count latest(_time) as _time by userid

---
If this reply helps you, Karma would be appreciated.

How to search for only select users based on a regex extract

regex

subsearch

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability