Splunk Search

Reg - How do I extract username?

Sasti
Engager

Hi All,

     I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParameters\": {\"userName\": <username>)

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Sasti,

this log seems to be a json, did you tried to use the "INDEXED_EXTRACTIONS = JSON" option in props.conf?

or did you tried to use the "spath" command in search?

Anyway, if you want to use a regex, lete me understand, does you log contain? 

\"requestParameters\": {\"userName\": <username>

or 

"requestParameters": {"userName": <username>

in other words: in your logs are there slashes before quotes or not?

if yes, you could use a regex like this:

| rex "\\\"requestParameters\\\": \{\\\"userName\\\": \<(?<username>[^\>]*)"

if it doesn't run, please try this:

| rex "\\\\"requestParameters\\\\": \{\\\\"userName\\\\": \<(?<username>[^\>]*)"

If instead you don't have backslashes before quotes (as I suppose), please try this:

| rex "\"requestParameters\": \{\"userName\": \<(?<username>[^\>]*)"

If you could share a full logs I could be more sure

Ciao.

Giuseppe

 

 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Sasti,

this log seems to be a json, did you tried to use the "INDEXED_EXTRACTIONS = JSON" option in props.conf?

or did you tried to use the "spath" command in search?

Anyway, if you want to use a regex, lete me understand, does you log contain? 

\"requestParameters\": {\"userName\": <username>

or 

"requestParameters": {"userName": <username>

in other words: in your logs are there slashes before quotes or not?

if yes, you could use a regex like this:

| rex "\\\"requestParameters\\\": \{\\\"userName\\\": \<(?<username>[^\>]*)"

if it doesn't run, please try this:

| rex "\\\\"requestParameters\\\\": \{\\\\"userName\\\\": \<(?<username>[^\>]*)"

If instead you don't have backslashes before quotes (as I suppose), please try this:

| rex "\"requestParameters\": \{\"userName\": \<(?<username>[^\>]*)"

If you could share a full logs I could be more sure

Ciao.

Giuseppe

 

 

0 Karma

Sasti
Engager

Hi @gcusello 

        Thanks dude,  now I can able to extract the username. let's have fun and enjoy.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Sasti,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma

Sasti
Engager

Yeah, the log is JSON type, Thanks for your support I'll try this out with your examples and let you know if those work, or else I'll try to send the full logs.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What have you tried so far and what's the result?

0 Karma

Sasti
Engager

So I tried some regex likes(rex field=_raw "requestParameters\:(?P<userName>(.*))\=", rex field=_raw "requestParameters\: userName:\s(?<user>[^\/]+)", rex field=_raw "requestParameters":\s{\"userName"\:[a-zA-Z]+(?=+(?:"}" ) and the result is nothing it's not fetching the username.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...