https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540297#M152842 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/34998">@tkerr1357</a>,</P><P>Please try this;</P><LI-CODE lang="markup">| rex "User:\sRIGHTNETWORKS\\(?&lt;username&gt;[^\s]+)"</LI-CODE> Wed, 17 Feb 2021 18:38:02 GMT scelikok 2021-02-17T18:38:02Z https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540284#M152836 <P>Hey All,</P><P>I am trying to pull the username from the following event which is everything after the Rightnetworks\ in the event. Also to complicate things It could be a name or a set of numbers or a name with numbers in it. Any help is apperciated.</P><P>here are some example events:</P><P><SPAN class="t"><SPAN class="t h">02/17</SPAN>/2021</SPAN> <SPAN class="t">11:45:19</SPAN> <SPAN class="t">AM</SPAN> <SPAN class="t">LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</SPAN> <SPAN class="t">SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager</SPAN> <SPAN class="t">EventCode=25</SPAN> <SPAN class="t">EventType=4</SPAN> <SPAN class="t">Type=Information</SPAN> <SPAN class="t">ComputerName=BPSQCP03S11.rightnetworks.com</SPAN> <SPAN class="t">User=NOT_TRANSLATED</SPAN> <SPAN class="t">Sid=S-1-5-18</SPAN> <SPAN class="t">SidType=0</SPAN> <SPAN class="t">TaskCategory=None</SPAN> <SPAN class="t">OpCode=Info</SPAN> <SPAN class="t">RecordNumber=1079076</SPAN> <SPAN class="t">Keywords=None</SPAN> <SPAN class="t">Message=Remote</SPAN> <SPAN class="t">Desktop</SPAN> <SPAN class="t">Services:</SPAN> <SPAN class="t">Session</SPAN> <SPAN class="t">reconnection</SPAN> <SPAN class="t">succeeded:</SPAN> <SPAN class="t">User:</SPAN> <SPAN class="t">RIGHTNETWORKS\465714</SPAN> <SPAN class="t">Session</SPAN> <SPAN class="t">ID:</SPAN> <SPAN class="t">350</SPAN> <SPAN class="t">Source</SPAN> <SPAN class="t">Network</SPAN> <SPAN class="t">Address:</SPAN> <SPAN class="t">184.97.224.236</SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN class="t h">02/17</SPAN>/2021 11:45:18 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=RNVSASP217.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1064633 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\veronicagutierrez Session ID: 342 Source Network Address: 216.67.212.82</SPAN></P> Wed, 17 Feb 2021 17:33:33 GMT https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540284#M152836 tkerr1357 2021-02-17T17:33:33Z https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540297#M152842 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/34998">@tkerr1357</a>,</P><P>Please try this;</P><LI-CODE lang="markup">| rex "User:\sRIGHTNETWORKS\\(?&lt;username&gt;[^\s]+)"</LI-CODE> Wed, 17 Feb 2021 18:38:02 GMT https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540297#M152842 scelikok 2021-02-17T18:38:02Z https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540330#M152856 <P>no such luck with this one.</P> Thu, 18 Feb 2021 00:39:06 GMT https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540330#M152856 tkerr1357 2021-02-18T00:39:06Z https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540338#M152862 <P>What is the problem? It is working for your sample events. Please see on Regex101.</P><P><A href="https://regex101.com/r/xlvrf1/1" target="_blank">https://regex101.com/r/xlvrf1/1</A>&nbsp;</P> Thu, 18 Feb 2021 04:44:00 GMT https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540338#M152862 scelikok 2021-02-18T04:44:00Z https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540380#M152880 <P>looks like it was an issue with my search. I was able to add the regex provided as a field extraction and that provided what I was looking for.&nbsp;</P> Thu, 18 Feb 2021 12:49:01 GMT https://community.splunk.com/t5/Splunk-Search/more-regex-help/m-p/540380#M152880 tkerr1357 2021-02-18T12:49:01Z