Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX help .. I am still learning ....

Stephen11
Explorer
‎08-30-2020 03:20 PM

To all:

Still learning about REGEX ...  I looked at RUBULAR.COM and REFEX101.com to figure out how to pull out the Users ids...   In the example below need to get 4 User Ids out ...   I matched on single quote ' - however not able to get  the 4 ids in one swoop ... any suggestions?  Its just not that easy... 

Watched a couple of Youtubes on regex ... just not that all intuitive when condition are a little bit more tricky. appreciate any help I can get.

 

Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2020 11:43 PM

Hi

With your example this seems to work.

index=_internal
| head 1
| eval _raw = "Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx"
| rename COMMENT AS "previous set example data, next do the regex"
| rex max_match=0  "Last usernames used in login requests are:\s(?<NamesAll>[^\.]+)"
| rex max_match=0 field=NamesAll "([',\s\.])+(?<Names>[^']+)"

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2020 11:43 PM

Hi

With your example this seems to work.

index=_internal
| head 1
| eval _raw = "Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx"
| rename COMMENT AS "previous set example data, next do the regex"
| rex max_match=0  "Last usernames used in login requests are:\s(?<NamesAll>[^\.]+)"
| rex max_match=0 field=NamesAll "([',\s\.])+(?<Names>[^']+)"

r. Ismo 

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-30-2020 10:00 PM

Can you share sample event?

the example you shared is not clear.

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...