Below is the event
-f LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa
the login username is always come after "-u" how can I extract that user and map it against field.
the location of -u 00xxx is variable depend of type of event
You could use the following regex for instance:
your base search
| rex "\-u (?<username>\S+)"
For example:
| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"
Output:
username
----------------
00xxx
Hi rashid47010,
your regex for field extraction is -u\s(?<user>[^ ]*)
or rex command
| rex "-u\s(?<user>[^ ]*)"
see your example at https://regex101.com/r/GfQtmz/3
Bye.
Giuseppe
@rashid47010 any reason you marked this as accepted answer and not mine?
1) This answer shouldn't even be here when mine was posted 1 hour before as it's not adding anything new and it suspiciously seems slightly different in purpose: changing \S+ with [^ ], changing a blank space with \s, come on.
2) If there is a valid answer already please either add a better one and explain why or give it the points but do not post the same answer twice.
3) @ppablo_splunk can you mediate please?
@Javiergn, sorry for late reply, I just saw your message. actually for stated question I am using
"\S+" as you mentioned in your reply.
You could use the following regex for instance:
your base search
| rex "\-u (?<username>\S+)"
For example:
| stats count
| fields - count
| eval _raw = "LOGIN -s 181xxxxxxxxxx84 -u 00xxx -H qmxwwssddsddddwwssaa"
| rex field=_raw "\-u (?<username>\S+)"
Output:
username
----------------
00xxx