Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is sourcetype pan:threat extracting incorrect ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is sourcetype pan:threat extracting incorrect fields?
Hi all, so, on my es-security search head, this sourcetype is incorrectly parsing the user field. It is capturing all users correctly, but it's also capturing random stuff from the same log types where a username isn't present. I tried messing with the props.conf and transforms.conf but nothing seems to do anything. Does anyone have a good idea where to start? I tried to make a fresh field extraction also for just user field, but it made no difference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at the field extraction config (regex) and see why it's failing for logs with no user value. You probably have to write a regex that puts null/blank if regex not found. We'd need current regex and sample logs (for both where regex works and doesn't) to comment anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
coalesce(mvindex(split(src_user,"\\"),1),mvindex(split(dest_user,"\\"),1),recipient,sender,"unknown") ,
so this is the regex that is listed in the sourcetype as EVAL-user, it looks like that sourcetype is defined in splunk enterprise security. here is a log it works on -
Jun 16 11:08:50 1.1.1.1 1 <14>1 2022-06-16T11:08:53-04:00 1.1.1.1 - - - - 1,2022/06/16 11:08:53,111111111111,THREAT,vulnerability,2305,2022/06/16 11:08:38,1.1.1.1,1.1.1.1,0.0.0.0,0.0.0.0,MPLS_Inbound Allow All,test\user,,ms-wmi,vsys1,EXT-MPLS,INT-LAN,ethernet1/1,ae1,test,2022/06/16 11:08:38,1612859,1,58153,49154,0,0,0x2000,tcp,alert,,Microsoft Windows NTLMSSP Detection(111111),any,informational,client-to
and here is one where it is pulling random
Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1100,0,0,0,,abc123123," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",,,,0,,0,,N/A,info-leak,AppThreat-1111-7437,0x0,0,4294967295," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",53182164-f27e-48e8-ae5d-e502b5ff412b,0,,,,,,,,,,,,,,,,,,,,,,,,,,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk"," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,1969-12-31T19:00:00.000-05:00,," Qualys Cloud Agent URLs,computer-and-internet-info,low-risk",0,infrastructure,networking,network-protocol,2,"has-known-vulnerability,tunnel-other-application,pervasive-use",msrpc,untunneled,no,no
Here it's pulling user as - Qualys Cloud Agent URLs,computer-and-internet-info,low-risk
This was my proposed fix - [\w]+\\(?<user>[\w]+) but it doesnt seem to do anything. TYVM!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
