Hi
From the Cisco WSA logs, I get the user information as user=ABCDEFEGH\kiran@ka.ABCDEFEGH.com
.
What should I use in props.conf to extract the user by removing
ABCDEFEGH\
and
@ka.ABCDEFEGH.com
at indexing time?
Try this:
EXTRACT-username = user=[^\\]+\\(?<username>[^@]+)@
Hi Sk314, Thanks for the response, I tried its not working.
can you paste your entry in props.conf here? Does this work in search
<your index and sourcetype> | rex field=_raw "user=[^\\]+\\(?<username>[^@]+)@" | table username
[cisco:wsa:squid]
EXTRACT-username = cs_username=[^\]+\(?[^@]+)@
When I run search i got error
Error in 'rex' command: Encountered the following error while compiling the regex 'user=[^]+(?[^@]+)@': Regex: unmatched parentheses
Try this instead:
<your index and sourcetype> | rex field=_raw "user=[^\\\]+\\\(?<username>[^@]+)@" | table username
Its working, But not for all users
Can you specify where it fails? I just saw that you use cs_username in your props? You might be better off using Splunk's field extractor instead.
Reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/ExtractfieldsinteractivelywithIFX