Splunk Search

Regular Expression to Extract a username out after matching a Specific String of Characters

zzaveri
Explorer

Hi All,

I am attempting to do a field extraction using regular expression and I am having some trouble. I have the following syslog message below from a test Juniper firewall. The username I am logging in with is jdoe-2fa and I have other users that have usernames as well with "-2fa" in their username. What I am trying to do is create a regular expression that searches for -2fa but extracts the actual full username jdoe-2fa so that I can create a field called user.

Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)

0 Karma
1 Solution

mayurr98
SplunkTrust
SplunkTrust

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

View solution in original post

mayurr98
SplunkTrust
SplunkTrust

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

View solution in original post

micahkemp
Champion

Your double quotes came across wrong.

| rex field=_raw "user\s(?<user>[^\/]+)"
0 Karma

zzaveri
Explorer

Thank you that resolved the issue.

0 Karma

micahkemp
Champion

If the answer solved your issue, please accept it so the question looks resolved.

0 Karma

zzaveri
Explorer

I get the following message

Error in 'SearchParser': Missing a search command before '^'. Error at position '55' of search query 'search index="indexname" | rex field=_raw “user\s(?[^\/]+)” |}'.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

What query are you running?put it in 101010 sample code

0 Karma

micahkemp
Champion

Actually this seems closer to what was asked for. At first I was thinking it was asked to separate the -2fa from the rest of the username, but at second glance that doesn’t appear to be the case.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

No worries happens 🙂 You are doing quite well .conf18 pass for this month is mostly yours !

0 Karma

micahkemp
Champion

Hopefully we'll both get to go and enjoy some beverages!

It's basically this month or bust for me. They'll put me back to work next month, so I won't have nearly as much time to post on answers.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

Yeah I hope so all the best !

0 Karma

micahkemp
Champion

Run anywhere example:

| makeresults | eval _raw="Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)"
| rex "user (?<full_user>(?<no_2fa_user>[^\/]+?)(-2fa)?)\/"
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!