So I have this data> Aug 22 09:13:46 someservername <118>1 2018-08-22T09:13:46.743+00:00 ip.address LOGSTASH - - - {"timestamp":1534929226738,"process_id":62,"source":"OpsCodi:0","event_type":"SECURITY_MGMT_REGISTRY","data2":{"srctype":"ops_console"},"user":"U654321","target":"some.server.of.ours","message":"Add User [U123456] ","log_level":"INFO"}
I don't have a way to modify the field extractions or anything so I'm at the mercy of splunk. No admin rights so I've been working on some serious splunk fu with my search.
> index=index sourcetype=sourcetype source="source//*.log" | multikv | mvexpand _raw | search URGP_0="User [*]*" | regex URGP_0=(\[(\w+)\]) | table URGP_0
So all I want to see is just U123456 and I intend to pipe this into a table in my dashboard once I have the regex working properly.
I am no master with regex but I've plugged it into various checkers online and they all show that it should be working but splunk just continues to show me the full field value which looks like this
> User [U123456] ","log_level":"INFO"}
Yes its a terrible field but well prior to me putting in the mvexpand there were no fields detected so now I at least have something to work with.
Thank you for your help with this.
↧