I have a field called "user", i'm trying to extract the username from the string and create a new field called extracted_user that I will later run against an LDAP filter to look up additional AD info.
user field examples:
Smith, John M. (jmsmith)(+)
Doe, Jane P. (jpdoe)(+)
I want to extract the username between the first set of parenthesis "jmsmith" and "jpdoe" respectively.
My current search:
index=network sourcetype=opsec app_rule_name="Track Uncategorized Content" user!=NULL
| rex field=user “\((?.*)\)\(“
Right now the search runs, but extracted_user field isn't created and the user field is unchanged. Any help would be greatly appreciated.
↧