- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract the username from a raw event?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract the username from a raw event?
Here is the raw event log:
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed. Reason: No Roles
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted.
I would like to extract only the username (ex: sramachandran in this case) to a field called "UserName".
Can you please help me achieve this?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the username always follows the IP address, which is in square brackets, this should do it.
]\s+(?<UserName>\w+)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use rex:
| rex "(?<UserName>\w+)\(VPNUsers\)"
Smaple query:
| makeresults | eval _raw="Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted." | rex "(?<UserName>\w+)\(VPNUsers\)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="juniperindex" ("Login Failed*" OR "Primary authentication failed") is my initial query to find the results:
The outcome events look like:
Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [12.12.2.28] vinduri(VPNUsers)[] - Login failed using auth server LasVegas DC (LDAP Server). Reason: Failed
Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [14.13.8.28] rgunasek(VPNUsers)[] - Primary authentication failed for vinduri/LasVegas DC from x.y.z.a
Can you now help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below query should work:
index="juniperindex" ("Login Failed*" OR "Primary authentication failed") | rex "(?<UserName>\w+)\(VPNUsers\)" | table UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this did the task. But i still have many other fields to be extracted with regular expression and add them to table finally.
In my next reply, can i paste another sample log file? with which we can fine tune this query more?
Thanks lot in advance.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
