How do I extract user field from connection events...

cm22486 · ‎09-09-2016

Hello,
We recently began piping connection events into Splunk in order to track URL history for our users. However, I see the user data in the event, but it is not appearing in my event fields. I can search by string using "user=john.smith" but if I try to search user=john.smith it will not work. Any ideas on what to adjust? Thanks!

kalianov · ‎10-28-2016

Also you can make a fields extraction for your data, which were indexed
All Fields - >> Extract New Fields

Instructions:
http://docs.splunk.com/Splexicon:Fieldextraction
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX

lukejadamec · ‎09-09-2016

If you try searching for user=john.smith then Splunk is expecting to find a field called 'user'. If you want to create a field called user at search time you can use rex...

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)"

This will create a field in that search called 'user', and in this case it will equal 'user=john.smith'.

You should be able to search all users with the search:

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)" | search user=*

There is a problem with this regex extract - user names with numbers or special characters or more then one '.' segment will not get recognized. You should review your username rules to make sure the regex captures all possible user names.

aaraneta_splunk · ‎09-20-2016

Hi @cm22486 - If the answer provided by @lukejadamec helped answer your question, please don't forget to resolve this post by clicking "Accept" below the answer.

If it did not resolve your question, please provide feedback by leaving a comment so that he or another user can try to help you out further. Thank you!

How do I extract user field from connection events?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases