Splunk Search

Regular Expression to Extract a username out after matching a Specific String of Characters

zzaveri
Explorer

Hi All,

I am attempting to do a field extraction using regular expression and I am having some trouble. I have the following syslog message below from a test Juniper firewall. The username I am logging in with is jdoe-2fa and I have other users that have usernames as well with "-2fa" in their username. What I am trying to do is create a regular expression that searches for -2fa but extracts the actual full username jdoe-2fa so that I can create a field called user.

Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)

0 Karma
1 Solution

mayurr98
Super Champion

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

View solution in original post

mayurr98
Super Champion

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

micahkemp
Champion

Your double quotes came across wrong.

| rex field=_raw "user\s(?<user>[^\/]+)"
0 Karma

zzaveri
Explorer

Thank you that resolved the issue.

0 Karma

micahkemp
Champion

If the answer solved your issue, please accept it so the question looks resolved.

0 Karma

zzaveri
Explorer

I get the following message

Error in 'SearchParser': Missing a search command before '^'. Error at position '55' of search query 'search index="indexname" | rex field=_raw “user\s(?[^\/]+)” |}'.

0 Karma

mayurr98
Super Champion

What query are you running?put it in 101010 sample code

0 Karma

micahkemp
Champion

Actually this seems closer to what was asked for. At first I was thinking it was asked to separate the -2fa from the rest of the username, but at second glance that doesn’t appear to be the case.

0 Karma

mayurr98
Super Champion

No worries happens 🙂 You are doing quite well .conf18 pass for this month is mostly yours !

0 Karma

micahkemp
Champion

Hopefully we'll both get to go and enjoy some beverages!

It's basically this month or bust for me. They'll put me back to work next month, so I won't have nearly as much time to post on answers.

0 Karma

mayurr98
Super Champion

Yeah I hope so all the best !

0 Karma

micahkemp
Champion

Run anywhere example:

| makeresults | eval _raw="Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)"
| rex "user (?<full_user>(?<no_2fa_user>[^\/]+?)(-2fa)?)\/"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...