https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516943#M145318 <P>To all:</P><P>Still learning about REGEX ...&nbsp; I looked at RUBULAR.COM and REFEX101.com to figure out how to pull out the Users ids...&nbsp; &nbsp;In the example below need to get 4 User Ids out ...&nbsp; &nbsp;I matched on single quote ' - however not able to get&nbsp; the 4 ids in one swoop ... any suggestions?&nbsp; Its just not that easy...&nbsp;</P><P>Watched a couple of Youtubes on regex ... just not that all intuitive when condition are a little bit more tricky. appreciate any help I can get.</P><P>&nbsp;</P><P>Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx</P> Sun, 30 Aug 2020 22:20:01 GMT Stephen11 2020-08-30T22:20:01Z https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516943#M145318 <P>To all:</P><P>Still learning about REGEX ...&nbsp; I looked at RUBULAR.COM and REFEX101.com to figure out how to pull out the Users ids...&nbsp; &nbsp;In the example below need to get 4 User Ids out ...&nbsp; &nbsp;I matched on single quote ' - however not able to get&nbsp; the 4 ids in one swoop ... any suggestions?&nbsp; Its just not that easy...&nbsp;</P><P>Watched a couple of Youtubes on regex ... just not that all intuitive when condition are a little bit more tricky. appreciate any help I can get.</P><P>&nbsp;</P><P>Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx</P> Sun, 30 Aug 2020 22:20:01 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516943#M145318 Stephen11 2020-08-30T22:20:01Z https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516950#M145320 <P>Can you share sample event?</P><P>the example you shared is not clear.</P> Mon, 31 Aug 2020 05:02:46 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516950#M145320 thambisetty 2020-08-31T05:02:46Z https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516954#M145324 <P>Hi</P><P>With your example this seems to work.</P><LI-CODE lang="java">index=_internal | head 1 | eval _raw = "Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx" | rename COMMENT AS "previous set example data, next do the regex" | rex max_match=0 "Last usernames used in login requests are:\s(?&lt;NamesAll&gt;[^\.]+)" | rex max_match=0 field=NamesAll "([',\s\.])+(?&lt;Names&gt;[^']+)"</LI-CODE><P>r. Ismo&nbsp;</P> Mon, 31 Aug 2020 06:43:44 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-help-I-am-still-learning/m-p/516954#M145324 isoutamo 2020-08-31T06:43:44Z