Solved: get rex expression

Marwalg · ‎08-19-2016

my regex expression works properly but I since I'am newbie in splunk I didn't know how to get the rex expression. I would like to extract users that do not begin with PC, PRT and SRV. My regex expression is :

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 | regex _raw!="Nom\Wdu\Wcompte\W:\s*(PC|SRV|PRT)"

Please advise?

Raghav2384 · ‎08-19-2016

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

View solution in original post

Raghav2384 · ‎08-19-2016

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

Marwalg · ‎08-21-2016

Yes ! it works perfectly 😄 😄 thanks for the answer 🙂

get rex expression

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation