Hi !
Just wanted to share how an AA admin can extract the domain from the username fields in case he/she wants to gain some level of abstraction when it comes to user reporting, probably helpful in multi-domain based organisations
Walkthrough:
An username in Netskope will always have the format 'user@domain.com', in our case we are interested in the 'domain.com' part of the field. As of the day I'm writing this post, there is no pre-built domain field that provides that information, so let the fun begin.
- In a Widget creation window (from Explore or directly from a Dashboard) and any data collection that contains username fields (Page Events, Application Events, Alerts, etc), head to Custom Fields and click on '+ Add' and add a new Custom Dimension.
- In the "Expression" section we are going to add some text manipulation functions that will get rid off the username part of the username field. The full expression is the following:
substring(
${app_event.user},
position(${app_event.user}, “@”)+1,
length(${app_event.user})
)
- Explanation:
-> Substring (requires three parameters A, B and C) will extract a smaller text portion of the text A, given where to start the extraction (parameter B) and the sub text desired length (parameter C)
-> ${app_event.user} is the username field code in Application Events. This will change depending on which data source is selected
-> position(${app_event.user}, “@”)+1 . The position function will give you the position of a given character in a text. So in this case we want to get where the "@" character is positioned in the username field, to start the extraction from there, but as we don't want the "@" character to appear on the final result, we add 1 position to the result.
-> length(${app_event.user}. The length function gives you the length of a string. We use it to determine the desired length of the extracted domain. In this case we put the full username field length to make sure we make room for whatever is in the domain. (the domain part will always be smaller than the whole field, no matter its size)
- We don't need to change the formatting, as we desired to output simple text. We can name it just "Domain Name"
- Now that new field will be available to use as any other.
Many thanks everyone!
Carlos C.
