on Mar 2, 2016I had an email from a customer asking the following question.
Could you help me for parser MS IIS logs? Some logs from MS IIS have user.dst field in format «domain\username»
Could you write parser to extract username to filed user.dst and write domain name (like mydomain.com) to domain field if this field present in original user.dst? For example – anonymous don’t have domain prefix. It will be very usefully for our customers on the community.
I'm going to post the answer here once I write the parser!
Here is the parser:
local ExtractUser = nw.createParser("ExtractUser", "Splits a username of the form domain\user into domain and username parts")
--[[
DESCRIPTION
Splits a username of the from DOMAIN\USERNAME into DOMAIN and USERNAME parts
If the username does not contain a \ then we write the value unchanged
VERSION
2nd March - Initial Developemnt
AUTHOR
david.waugh2@rsa.com
DEPENDENCIES
The input key is trans_username
In the Table Map Custom.xml file on the logdecoder make sure username is mapped to tr_username as follows:
<mapping envisionName="username" nwName="tr_username" flags="Transient" format="Text" envisionDisplayName="UserName|UserID|User|UserName|Username" nullTokens="none|-"/>
NOTES
None
--]]
-- These are the meta keys that we will write meta into
ExtractUser:setKeys({
nwlanguagekey.create("user.dst", nwtypes.Text),
nwlanguagekey.create("domain", nwtypes.Text)})
function ExtractUser:userdst(index, myusername)
local domain,username = string.match(myusername,"(.*)\\(.*)")
if(domain == nil) then -- Username was not of the form domain\user
nw.createMeta(self.keys["user.dst"],myusername)
else -- Username was of the form domain\user so split into component parts
nw.createMeta(self.keys["user.dst"],username)
nw.createMeta(self.keys["domain"],domain)
end
end
ExtractUser:setCallbacks({
[nwlanguagekey.create("tr_username", nwtypes.Text)] =ExtractUser.userdst,
})