The log entry is:
2011-04-20 01:04:12,026 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=ahall** returned no groups, which probably means the user needs to be assigned groups by security
2011-04-19 18:06:49,424 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=frozndrk** returned no groups, which probably means the user needs to be assigned groups by security
I would expect to see a list of usernames with the simple values (e.g. ahall, frozndrk), but in reality, what I see for the username field is:
In some odd way, it is also grabbing data to the comma. I only want the username, and not the junk after it.
Why is this happening?
Thanks,
Sean
Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username
.
returned no groups | rex "username=(?<test_username>.*) returned no groups"
You can add this to props.conf
for your sourcetype using something like:
[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups
Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username
.
returned no groups | rex "username=(?<test_username>.*) returned no groups"
You can add this to props.conf
for your sourcetype using something like:
[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups
It's hard to say for 100% sure without digging through your configuration. You could always add the above extraction to props.conf for your sourcetype. See update to answer...
I have looked through my existing Field Extractions, and I do not see anything related to this particular username. So I think it appears to be Splunk making this extraction.
Using your inline extraction above retrieves the usernames as expected for the test_username field.
Any idea why Splunk would extract usernames wrong? What configuration can I check to ensure it is not something I have done?
Thanks,
Sean