I have a search that returns a user field i.e. user="username". This gets reported by one system as user="u'username'" this is generating false positives for unknown users.
I want to modify the user field, if necessary to remove the u' at the start and the ' at the end. I have a way but it seems cumbersome
| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user)
I'd be interested if there's a better way since I have another mis-report where the username has a : appended to it. using a similar eval but with an rtrim I could remove it but the search would be getting very heavy then.
| eval user=if(like(user,"u'%'"), mvindex(split(user,"'") ,1) ,user) | eval user=if(like(user,"%:"), rtrim(user,":") ,user)
I feel there ought to be a regular expression way of doing this but I can't work it out.
Here's a solution using the aforementioned
| makeresults | eval user="u'username" | replace u'* with *
(Everything prior to "| replace" is used to make a single sample event on which to test the replace. Omit it in your actual search.)
Thanks both it took me a while to work it out that it was eval replace command not the other replace but with the right regex it seems to work
| eval user=replace(user,"(^u')?(.+)[':]$","\2")