Splunk Search

Regex help required

SabariRajanT
Path Finder
Hi Team,
 
Can someone provide me the Regex for the below:
 
|search (UPN=*T@mail.eeir)
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

ok, good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

SabariRajanT
Path Finder

Hi @gcusello 

Thanks for your response. The main gole is to ignore the Capital "T" as shown below in the UPN

|search (UPN=*T@mail.weir).

If you could provide the Query accordingly as per regex 101 that would be great.

Thanks,

Sabari

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

could share a sample?

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

sample - UPN=*t@cloud.weir

Required to remove above "t" and "T".

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this

| regex "UPN\=.*(T|t)\@mail\.eeir"

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

@gcusello 

Thanks for your response.!

It doesn't work out well

When i use a Not operator like below. The "t" "T" should ignore

search NOT (UPN=*t@cloud.eeir)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

did you tried the search without using regex?

| search NOT (UPN=*t@cloud.eeir)

Splunk searches aren't case sensitive.

Ciao.

Giuseppe

SabariRajanT
Path Finder

hi @gcusello 

Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

as I said, I could help you more, if you share some sample of your data (the events not the rule!): data to take and data to exclude.

Ciao.

Giuseppe

SabariRajanT
Path Finder

Hi @gcusello 

Let me explain you the scenario in details:

when I query below, I get the UPN details with "T" as below. 

index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir"
|table UPN

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeeeT@mail.eeir

 

If you see above data xxx , yyy, cccT UPN data's  coming up. But I need to ignore "T" here and show the rest all UPN data like as below

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeee@mail.eeir

 

For the same am trying to use below query with regex command. But no luck regex is not working. 

index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN

if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"

0 Karma

SabariRajanT
Path Finder

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this regex:

| rex mode=sed field=UPN "s/(\w+\.\w+)T|t\@(.*)/\1\@\2/g"

Ciao.

Giuseppe

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...