Hi,
I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews
I have a regex of
rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"
but it isn't working 100% (more like 50%)
"something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mspeer2"
"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-" "ddaniel"
"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mirella"
8:43:57.000 PM
"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"
If the login name is always the last one to occur in the log line then u can try below:
.*\"(?<loginid>[^\"]+)\"$
If the login name is always the last one to occur in the log line then u can try below:
.*\"(?<loginid>[^\"]+)\"$
Hi Gokadroid!
Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!
No need to include all the text in front and "
does not need to be escaped in the []
, so this should do \"(?<loginid>[^"]+)\"$
Awesome!! If you can upvote the answer as well that will be great !!
Cool..thanks a lot @dbcase ...Happy Splunking!!
Thank you! You don't know how much this helped!
whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error