Splunk Search

Regex help required

SabariRajanT
Path Finder
Hi Team,
 
Can someone provide me the Regex for the below:
 
|search (UPN=*T@mail.eeir)
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

ok, good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

SabariRajanT
Path Finder

Hi @gcusello 

Thanks for your response. The main gole is to ignore the Capital "T" as shown below in the UPN

|search (UPN=*T@mail.weir).

If you could provide the Query accordingly as per regex 101 that would be great.

Thanks,

Sabari

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

could share a sample?

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

sample - UPN=*t@cloud.weir

Required to remove above "t" and "T".

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this

| regex "UPN\=.*(T|t)\@mail\.eeir"

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

@gcusello 

Thanks for your response.!

It doesn't work out well

When i use a Not operator like below. The "t" "T" should ignore

search NOT (UPN=*t@cloud.eeir)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

did you tried the search without using regex?

| search NOT (UPN=*t@cloud.eeir)

Splunk searches aren't case sensitive.

Ciao.

Giuseppe

SabariRajanT
Path Finder

hi @gcusello 

Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

as I said, I could help you more, if you share some sample of your data (the events not the rule!): data to take and data to exclude.

Ciao.

Giuseppe

SabariRajanT
Path Finder

Hi @gcusello 

Let me explain you the scenario in details:

when I query below, I get the UPN details with "T" as below. 

index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir"
|table UPN

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeeeT@mail.eeir

 

If you see above data xxx , yyy, cccT UPN data's  coming up. But I need to ignore "T" here and show the rest all UPN data like as below

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeee@mail.eeir

 

For the same am trying to use below query with regex command. But no luck regex is not working. 

index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN

if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"

0 Karma

SabariRajanT
Path Finder

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this regex:

| rex mode=sed field=UPN "s/(\w+\.\w+)T|t\@(.*)/\1\@\2/g"

Ciao.

Giuseppe

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!