Splunk Search

more regex help :/

tkerr1357
Path Finder

Hey All,

I am trying to pull the username from the following event which is everything after the Rightnetworks\ in the event. Also to complicate things It could be a name or a set of numbers or a name with numbers in it. Any help is apperciated.

here are some example events:

02/17/2021 11:45:19 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=BPSQCP03S11.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1079076 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\465714 Session ID: 350 Source Network Address: 184.97.224.236

 

02/17/2021 11:45:18 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=RNVSASP217.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1064633 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\veronicagutierrez Session ID: 342 Source Network Address: 216.67.212.82

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @tkerr1357,

Please try this;

| rex "User:\sRIGHTNETWORKS\\(?<username>[^\s]+)"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

What is the problem? It is working for your sample events. Please see on Regex101.

https://regex101.com/r/xlvrf1/1 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

tkerr1357
Path Finder

looks like it was an issue with my search. I was able to add the regex provided as a field extraction and that provided what I was looking for. 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @tkerr1357,

Please try this;

| rex "User:\sRIGHTNETWORKS\\(?<username>[^\s]+)"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

tkerr1357
Path Finder

no such luck with this one.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...