All Apps and Add-ons

How do I extract user field from connection events?

cm22486
Path Finder

Hello,
We recently began piping connection events into Splunk in order to track URL history for our users. However, I see the user data in the event, but it is not appearing in my event fields. I can search by string using "user=john.smith" but if I try to search user=john.smith it will not work. Any ideas on what to adjust? Thanks!alt text

alt text

0 Karma

kalianov
Path Finder

Also you can make a fields extraction for your data, which were indexed
All Fields - >> Extract New Fields

Instructions:
http://docs.splunk.com/Splexicon:Fieldextraction
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

lukejadamec
Super Champion

If you try searching for user=john.smith then Splunk is expecting to find a field called 'user'. If you want to create a field called user at search time you can use rex...

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)"

This will create a field in that search called 'user', and in this case it will equal 'user=john.smith'.

You should be able to search all users with the search:

Your Search | rex field=_raw "(?<user>\w+\=\w+\.\w+)" | search user=*

There is a problem with this regex extract - user names with numbers or special characters or more then one '.' segment will not get recognized. You should review your username rules to make sure the regex captures all possible user names.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @cm22486 - If the answer provided by @lukejadamec helped answer your question, please don't forget to resolve this post by clicking "Accept" below the answer.

If it did not resolve your question, please provide feedback by leaving a comment so that he or another user can try to help you out further. Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...