So I have this data
Aug 22 09:13:46 someservername <118>1 2018-08-22T09:13:46.743+00:00 ip.address LOGSTASH - - - {"timestamp":1534929226738,"process_id":62,"source":"OpsCodi:0","event_type":"SECURITY_MGMT_REGISTRY","data2":{"srctype":"ops_console"},"user":"U654321","target":"some.server.of.ours","message":"Add User [U123456] ","log_level":"INFO"}
I don't have a way to modify the field extractions or anything so I'm at the mercy of splunk. No admin rights so I've been working on some serious splunk fu with my search.
index=index sourcetype=sourcetype source="source//*.log" | multikv | mvexpand _raw | search URGP_0="User [*]*" | regex URGP_0=(\[(\w+)\]) | table URGP_0
So all I want to see is just U123456 and I intend to pipe this into a table in my dashboard once I have the regex working properly.
I am no master with regex but I've plugged it into various checkers online and they all show that it should be working but splunk just continues to show me the full field value which looks like this
User [U123456] ","log_level":"INFO"}
Yes its a terrible field but well prior to me putting in the mvexpand there were no fields detected so now I at least have something to work with.
Also if possible how to extract this user info from it as well
"user":"U654321"
Thank you for your help with this.
Hi @thefuzz4,
you have to escape [ ]
characters properly.
Also you are not using the right command.
Something like this should work.
| rex field=_raw "Add\s*User\s*\[(?<user>[^\]]+)\]"
or if you already have a field that contains the value
| rex field=URGP_0 "\[(?<user>[^\]]+)\]"
EDIT:
Changes since your recent edit
| rex field=_raw "\"user\":\"(?<userinfo>[^\"]+)\""
should extract the U654321 value inside of the userinfo field
Second EDIT:
Userinfo:
| rex field=_raw "(?<userinfo>\"user\":\"[^\"]+\")"
should extract the "user":"U654321" into the field userinfo
Is the field URGP_0
a field that is extracted already? I don't see that you are creating it anywhere in your data, and it isn't a KV pair, so it looks like your search
is looking for a field called URGP_0
.
It also appears that your data is not complete. You may want to update the question to use the 101010
button to mark the text instead of the "
button so that is does it as code instead of a quote.
I will update the question to use the 1010 button my apologies.
Yes the URGP_0 is a field that was extracted from it.
Hi @thefuzz4,
you have to escape [ ]
characters properly.
Also you are not using the right command.
Something like this should work.
| rex field=_raw "Add\s*User\s*\[(?<user>[^\]]+)\]"
or if you already have a field that contains the value
| rex field=URGP_0 "\[(?<user>[^\]]+)\]"
EDIT:
Changes since your recent edit
| rex field=_raw "\"user\":\"(?<userinfo>[^\"]+)\""
should extract the U654321 value inside of the userinfo field
Second EDIT:
Userinfo:
| rex field=_raw "(?<userinfo>\"user\":\"[^\"]+\")"
should extract the "user":"U654321" into the field userinfo
Thank you that worked like a charm. I also posted a 2nd question in here and of course after I posted it I saw the answer to my 1st part. Don't suppose you have some regex fu for that piece?
By the way yes I did already have the field for the 1st part so I was able to use the bit about the field.
Sorry meant to be like just the U654321 part
@thefuzz4,
no problem. My first edit should give you the right solution. 🙂
Changes since your recent edit
| rex field=_raw "\"user\":\"(?<userinfo>[^\"]+)\""
should extract the U654321 value inside of the userinfo field
You rock thank you so much
Looks at my edits 🙂