topic Regex help! Want to start after the \ and collect the user name that follows in Splunk Search

Regex help! Want to start after the \ and collect the user name that follows

johnward4 — Tue, 31 Oct 2017 22:44:19 GMT

I want to start after the \ and collect the user name but the user name is in delimited format (.)

field name = UserName

example of a field value

BDDLOX3855\john.doe

Would it be possible to replace the . with a space after using my regex request?

Re: Regex help! Want to start after the \ and collect the user name that follows

sbbadri — Wed, 01 Nov 2017 05:14:12 GMT

try this

your search | eval UserName= replace(UserName,".",". ")

Re: Regex help! Want to start after the \ and collect the user name that follows

erickyi — Wed, 01 Nov 2017 05:59:43 GMT

assuming your line is BDDLOX3855\john.doe value (format is domain\username
The following reg should work

"^(?P<testDomain>[^\\\]+)\\\(?P<testFirstname>[a-z^\.]+)\.(?P<testLastname>[a-z^\s]+)\s"

Note, I have also split the username to firstname and lastname. This should give you more flexibility

Re: Regex help! Want to start after the \ and collect the user name that follows

johnward4 — Wed, 01 Nov 2017 18:12:39 GMT

I wasn't able to get this to work, I'm really trying to grasp using regex so if would you mind explaining the regex you use to help me better understand how to write it myself? I'm also not really interested in creating new fields for first name and another for last name. It was mostly a would be nice if possible, to replace the . with a space show my output for UserName showed first name last name

Re: Regex help! Want to start after the \ and collect the user name that follows

johnward4 — Wed, 01 Nov 2017 18:45:39 GMT

This eval replaced the field data with .............. only and didn't cut the domain\ leaving just the user name as I'm looking to do

Re: Regex help! Want to start after the \ and collect the user name that follows

somesoni2 — Wed, 01 Nov 2017 19:11:17 GMT

Try like this

your current search with field UserName
| eval UserName=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

Runanywhere sample search:

| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

Re: Regex help! Want to start after the \ and collect the user name that follows

johnward4 — Wed, 01 Nov 2017 20:02:09 GMT

Thank you @somesoni2! Can you please walk me through the regex you used as I'm trying to learn

Re: Regex help! Want to start after the \ and collect the user name that follows

somesoni2 — Wed, 01 Nov 2017 20:41:28 GMT

The regex used in replace command (2nd argument) is creating capturing group of each of the segment of the value of field UserName. E.g.

BDDLOX3855\john.doe
{segment1}\{segment2}.{segment3}.

Then, in the 3rd argument of replace command, we're displaying the captured segments as per our need (dropping segment1 and adding a space between segment2 and segment3). You can playaround with runanywhere search to get feel of the replace command.

| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","seg1: \1, seg2: \2, seg3: \3")

Re: Regex help! Want to start after the \ and collect the user name that follows

erickyi — Thu, 02 Nov 2017 00:36:06 GMT

hi john,

dissecting the regex ... it is {from beginning of line}{extract the first token}{delimiter of backslash}{extract the 2nd token which is testFirstname}{delimiter of dot}{extract the 3rd token which is testLastname}{delimiter of space}

Details
1. (?Pregular pattern here) is the format to extract a field

understand the regular expression [] syntax

e.g. [a-z]+ means any characters (one or more) that is from "a" to "z"
[A-Z]+means any characters (one or more) that is from "A" to "Z"
[0-9]+ means any numeric characters
the escape sequence in regex which is the "\".
note \s means space
^ has double meaning - beginning of the line or if it is inside [], then it means any character that is NOT the next character.
e.g [^\] means any character that is not your backslash
[^.] means any character that is not a dot
[^\s] means any character that is not a space

To make it easy, you can use the field extraction wizard from Splunk web but I found the generated regex inflexible and can't handle all the cases. I normally have to tweak the generated regex .

Hope this helps.