Regex for Windows domain\name

One more! I'm trying to find things that don't fit in our "domain\username" pattern. But even using \\ or "\" doesn't seem to make it understand, and so trying to use the documented @&~(domain\\username) function won't work, because it'll return all users!

Can you provide an example of strings that you think should and should not match?

our domain is [A-Z]{9} and usernames are [a-z][0-9]{6}. Windows makes it return a string DOMAIN\USERNAME on the username field, instead of only the username. I actually want to make two searches: one that lists all valid users and one that'll list the invalid ones.

Also, we do want to use the DOMAIN\USERNAME format because we've seen cases where there are logs with only USERNAME, and no domain.

But apparently, Kibana/Elastic don't like the backslash inside the string. If I filter for @&~(domain) it'll list everything, because the string isn't only domain. If I try to filter for @&~(username), it'll also list everything for the same reason.

I tried searching for the DOMAIN\USERNAME, and nothing shows up. If I search for domain only, it'll list everything (in opposition to the @&~(domain) search from last paragraph. Same thing for searching for the username regex and nothing showing up on it's opposed from last paragraph.

I tried a few things more, like searching for USERNAME:/[a-z][0-9]{6}/ and USERNAME:/.*[a-z][0-9]{6}/ and they both highlight only the username part. Shouldn't the .* version highlight the DOMAIN\ also?

Oh yeah, maybe this should be up top: we're running Kibana 6.4.2, not the latest 6.6.1.

Sorry, it's hard for me to reason about these regexes without some concrete examples to consider. Could you provide an example of valid and invalid USERNAME values? (they can be made up)

yeah, sorry about that. We really try our best to keep that kind of info internal only.
But we found out the problem: the guys who set up our logstash, elastic and kibana didn't configure a whitespace analyzer, so whatever special character shows up messes things up.
A colleague also found a workaround we can use for now until we figure out how we'll deal with that in a more permanent and optimized way.
Thanks for the time and the attention, @Bargs!

1 Like

Just to make it plain - the problem here is that who set up our environment didn't set a whitespace analyzer to be used, so whatever special characters show up on strings cut them up and messes the whole thing. If anyone else arrives with this problem: check your analyzers.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.