I am attempting to do a field extraction using regular expression and I am having some trouble. I have the following syslog message below from a test Juniper firewall. The username I am logging in with is jdoe-2fa and I have other users that have usernames as well with "-2fa" in their username. What I am trying to do is create a regular expression that searches for -2fa but extracts the actual full username jdoe-2fa so that I can create a field called user.
Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)
Run anywhere example:
| makeresults | eval _raw="Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)" | rex "user (?<full_user>(?<no_2fa_user>[^\/]+?)(-2fa)?)\/"
index=<your_index> | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa
Let me know if this helps
Actually this seems closer to what was asked for. At first I was thinking it was asked to separate the
-2fa from the rest of the username, but at second glance that doesn’t appear to be the case.
No worries happens 🙂 You are doing quite well .conf18 pass for this month is mostly yours !
Hopefully we'll both get to go and enjoy some beverages!
It's basically this month or bust for me. They'll put me back to work next month, so I won't have nearly as much time to post on answers.
I get the following message
Error in 'SearchParser': Missing a search command before '^'. Error at position '55' of search query 'search index="indexname" | rex field=_raw “user\s(?[^\/]+)” |}'.
Your double quotes came across wrong.
| rex field=_raw "user\s(?<user>[^\/]+)"