Splunk Add-on for Cisco WSA: How to extract the us...

kiran331 · ‎11-11-2016

Hi

From the Cisco WSA logs, I get the user information as user=ABCDEFEGH\kiran@ka.ABCDEFEGH.com.

What should I use in props.conf to extract the user by removing

ABCDEFEGH\

and

@ka.ABCDEFEGH.com

at indexing time?

sk314 · ‎11-11-2016

Try this:

EXTRACT-username = user=[^\\]+\\(?<username>[^@]+)@

kiran331 · ‎11-11-2016

Hi Sk314, Thanks for the response, I tried its not working.

sk314 · ‎11-11-2016

can you paste your entry in props.conf here? Does this work in search

<your index and sourcetype> | rex field=_raw "user=[^\\]+\\(?<username>[^@]+)@" | table username

kiran331 · ‎11-11-2016

[cisco:wsa:squid]
EXTRACT-username = cs_username=[^\]+\(?[^@]+)@

When I run search i got error

Error in 'rex' command: Encountered the following error while compiling the regex 'user=[^]+(?[^@]+)@': Regex: unmatched parentheses

sk314 · ‎11-11-2016

Try this instead:

<your index and sourcetype> | rex field=_raw "user=[^\\\]+\\\(?<username>[^@]+)@" | table username

kiran331 · ‎11-11-2016

Its working, But not for all users

sk314 · ‎11-11-2016

Can you specify where it fails? I just saw that you use cs_username in your props? You might be better off using Splunk's field extractor instead.
Reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Splunk Add-on for Cisco WSA: How to extract the user from Cisco WSA logs?