Splunk Search

How to match \\ in regex to extract a value from a field in my data?

reswob4
Builder

I have logs that have the following two formats

1. Oct 26 13:22:55 1.2.3.4 1 2015-10-26T13:22:51.480-04:00 Device.domain.tld View - 2020 [View@6876 Severity="AUDIT_SUCCESS" Module="Admin" EventType="ADMIN_USERLOGGEDIN" UserSID="xxxxxxxxxxxxxxxxx" UserDisplayName="DOMAIN\\user1"] User DOMAIN\user1 has logged in to View Administrator
2. Oct 26 12:31:39 1.2.3.4 1 2015-10-26T12:31:31.351-04:00 Host.domain.tld View - 1007 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_CONNECTED" UserSID="yyyyyyyyyyyyyyyyy" UserDisplayName="DOMAIN\\user2" DesktopId="remote_access" PoolId="remote_access" MachineId="zzzzzzzzzzzzzzzzzzzzz" MachineName="hostname" MachineDnsName="host.domain.tld"] User DOMAIN\user2 has logged in to a new session on machine hostname
3. Oct 26 12:30:52 1.2.3.4 1 2015-10-26T12:30:51.331-04:00 Device.domain.tld View - 150 [View@6876 Severity="AUDIT_FAIL" Module="Broker" EventType="BROKER_USER_AUTHFAILED_SECUREID_ACCESS_DENIED" UserDisplayName="user2"] SecurID access denied for user user2
4. Oct 26 12:31:18 1.2.3.4 1 2015-10-26T12:31:15.882-04:00 host.domain.tld View - 1003 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_PENDING" UserSID="xxxxxxxxxxxxxxxxx" UserDisplayName="DOMAIN\\user2" DesktopId="remote_access" PoolId="remote_access" MachineId="zzzzzzzzzzzzzzzzzzzzz" MachineName="hostname" MachineDnsName="host.domain.tld"] The agent running on machine hostname has accepted an allocated session for user DOMAIN\user2

I want to capture the username into a field called user. This would be the username part of the UserDisplayName field, but this shows up two different ways.

UserDisplayName="DOMAIN\\username" 
UserDisplayName="username"

Inside a regex tester, I got the following syntax to work:

UserDisplayName=".*\\(.*)"  

And that gives me the right group. But when I tried converting that to splunk, I used:

rex field=_raw "UserDisplayName=.*\\\(?<user>.*)" 

This gave me the following:

  1. user: user1 has logged in to View Administrator
  2. user: user2 has logged in to a new session on machine hostname
  3. user:
  4. user: user2 So anything involving \\ seems to be problematic.

I figure once I get the syntax for each variable, I can use coalesce to get one overall label. But I'm not sure how to go about this.

Suggestions?

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

You need to escape BOTH slashes with an additional backslash.

so the first escape would be \\ then the second escape would be \\:

UserDisplayName=".*\\\\(.*)"  

Also, you probably want to make sure its an optional group in case the basic version shows up: https://regex101.com/r/fA4tO1/3

rex "UserDisplayName=(?:.*\\\\)?(?<username>.*)"

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

You need to escape BOTH slashes with an additional backslash.

so the first escape would be \\ then the second escape would be \\:

UserDisplayName=".*\\\\(.*)"  

Also, you probably want to make sure its an optional group in case the basic version shows up: https://regex101.com/r/fA4tO1/3

rex "UserDisplayName=(?:.*\\\\)?(?<username>.*)"

reswob4
Builder

OK, here's what I got to work.

 rex field=_raw "UserDisplayName=(?<user>.*?) " | eval user1=rtrim(user,"]") | eval user2=trim(user1,"\"") | eval user3=ltrim(user2,"DOMAIN\\") | rename user4 AS user

this gives me:

user: username

Note: the first rex command does NOT work if you use

rex field=_raw "UserDisplayName=(?<username>.*?) "

you have to have user in there, not username or something else.

I'm marking the other answer as correct because that directly answered my question, even if it wasn't the method I used to get what I needed.

Thanks.

reswob4
Builder

Hmm.. Tried that and it's weird. I wonder if something is wrong with my overall config.

I get the same results if I use:

rex  "\\\(?<user>.*?) "  

or

rex  "\\\\(?<user>.*?) "

they both give me:

user:  \username"

So I'm not sure why I'm getting the leading slash and why I'm getting the trailing quotes

I'm continuing to try different things...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...