Solved: get rex expression

Marwalg · ‎08-19-2016

my regex expression works properly but I since I'am newbie in splunk I didn't know how to get the rex expression. I would like to extract users that do not begin with PC, PRT and SRV. My regex expression is :

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 | regex _raw!="Nom\Wdu\Wcompte\W:\s*(PC|SRV|PRT)"

Please advise?

Raghav2384 · ‎08-19-2016

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

View solution in original post

Raghav2384 · ‎08-19-2016

Hey @Marwaig,

How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?

If you want to acheive this only via rex, could you post psuedo events?

I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "

Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.

Hope this helps!

Thanks,
Raghav

Marwalg · ‎08-21-2016

Yes ! it works perfectly 😄 😄 thanks for the answer 🙂

get rex expression

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

get rex expression

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk