Some comments:
When you say you tried my recommendation, the command you paste looks nothing like it. That might be because of format issues. I know I had to edit my answer a few times to get it right, using backquotes, so if you used the notification email from splunk it might not have had the updates... I'm not sure!
I'm quite sure the 3 slashes are wrong 🙂 You're right that one wont' work as it needs to be escaped, but that means you only need two. The third slash will escape the bracket. So \\\(?.*) basically will match a backslash (because of the \\ ) optionally followed by an opening bracket (because of \(? ) followed by any amount of any character (because of the .* ) followed by a closing bracket (because of the ) ), and that will probably not match anything and even if it did it wouldn't extract anything.
does your data in pan:traffic already have a field called "username"? If yes, why do you need the rex bit at all? If not you need to actually extract it as I initially suggested, with something like sourcetype=pan:traffic | rex field= "mydomain\\(?P<username>.*)" | search username=user1 | rename src_ip AS src | fields src
you are quite right that you don't need to use rex. If search doesn't work, try where: search sourcetype=pan:traffic | where user="mydomain\\$username$" | ... . If that doesn't work try breaking it up: search sourcetype=pan:traffic | where user="mydomain\\" + $username$ | ... . You could also try a simple regex command: search sourcetype=pan:traffic | regex user=$username$ | ...
Let's agree on the following steps to make this work, whatever solution you go with:
1) Establish that the subsearch works. It should produce a single column named "src" with one or more values listed. Let's suppose you go with this solution (and suppose it works): search sourcetype=pan:traffic | regex user=user1 | rename src_ip AS src | fields src
2) Add | format to the end of that subsearch like so: search sourcetype=pan:traffic | regex user=user1 | rename src_ip AS src | fields src | format That should produce a search column containing something like (src="1.2.3.4")
3) Try the outer search on its own, pasting the result from the "format" command in step 2: block OR deny (src="1.2.3.4") I'm guessing it should work if your data has a "src" field.
4) Try both searches together, e.g.: block OR deny [search sourcetype=pan:traffic | regex user=user1 | rename src_ip AS src | fields src] (don't use the | format bit any more)
5) If that works, put the exact same thing in your dashboard.
6) If that works, try to replace user1 with your $username$ token.
Hope that helps...
... View more