Solved: Rex field extraction

user93 · ‎05-12-2021

Hello,

I have a simple extraction I need to make on a new dataset that has not yet had the fields defined for me.

I want to extract the user name. The log structure is like so:

time stamp, server info, logstatus, userinfo, result

_raw= 2021-05-12 03:58:59,533 [#-####-abcd-#] INFO ServicesLogName#logStatus(): ## - User john.doe@username.com with IP 01.001.01.1 result [successful]

In every instance, the username value follows "User" and precedes "with IP"

Index=basesearch application=specified
|rex field=_raw "(?<username>")

Thank you!

ITWhisperer · ‎05-12-2021

Index=basesearch application=specified
|rex field=_raw "User\s(?<username>[^\s]+)\swith\sIP"

View solution in original post

ITWhisperer · ‎05-12-2021

Index=basesearch application=specified
|rex field=_raw "User\s(?<username>[^\s]+)\swith\sIP"

View solution in original post

Rex field extraction

using Splunk Enterprise

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Learn More or Register Now >

Rex field extraction

using Splunk Enterprise

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too! Learn More or Register Now >

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Learn More or Register Now >