Hi @SabariRajanT,

ok, good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Hi @gcusello 

Thanks for your response. The main gole is to ignore the Capital "T" as shown below in the UPN

|search (UPN=*T@mail.weir).

If you could provide the Query accordingly as per regex 101 that would be great.

Thanks,

Sabari

Hi @SabariRajanT,

could share a sample?

Ciao.

Giuseppe

sample - UPN=*t@cloud.weir

Required to remove above "t" and "T".

Hi @SabariRajanT,

please, try this

| regex "UPN\=.*(T|t)\@mail\.eeir"

Ciao.

Giuseppe

@gcusello 

Thanks for your response.!

It doesn't work out well

When i use a Not operator like below. The "t" "T" should ignore

search NOT (UPN=*t@cloud.eeir)

Hi @SabariRajanT,

did you tried the search without using regex?

| search NOT (UPN=*t@cloud.eeir)

Splunk searches aren't case sensitive.

Ciao.

Giuseppe

hi @gcusello 

Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.

Hi @SabariRajanT,

as I said, I could help you more, if you share some sample of your data (the events not the rule!): data to take and data to exclude.

Ciao.

Giuseppe

Hi @gcusello 

Let me explain you the scenario in details:

when I query below, I get the UPN details with "T" as below. 

index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir"
|table UPN

If you see above data xxx , yyy, cccT UPN data's  coming up. But I need to ignore "T" here and show the rest all UPN data like as below

For the same am trying to use below query with regex command. But no luck regex is not working. 

index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN

if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"

thanks

Hi @SabariRajanT,

please, try this regex:

| rex mode=sed field=UPN "s/(\w+\.\w+)T|t\@(.*)/\1\@\2/g"

Ciao.

Giuseppe