https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575079#M200387 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm trying to extract usernames from the logs of a proftpd.</P><P>An event looks like this:</P><P>2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.</P><P>&nbsp;</P><P>Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part <STRONG>ASD</STRONG>-ASDASD</P><P>How do I circumvent this? How can I extract strings that contains - ?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Nov 2021 15:56:11 GMT miberecz 2021-11-16T15:56:11Z https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575079#M200387 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm trying to extract usernames from the logs of a proftpd.</P><P>An event looks like this:</P><P>2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.</P><P>&nbsp;</P><P>Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part <STRONG>ASD</STRONG>-ASDASD</P><P>How do I circumvent this? How can I extract strings that contains - ?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Nov 2021 15:56:11 GMT https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575079#M200387 miberecz 2021-11-16T15:56:11Z https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575082#M200388 <P>What extraction are you currently using?</P> Tue, 16 Nov 2021 16:01:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575082#M200388 ITWhisperer 2021-11-16T16:01:34Z https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575084#M200389 <P>It was extracted automatically, and so far I trusted it until I realized its not complete. Now I believe I need a regex the gets everything&nbsp; after the string USER and before the :&nbsp;</P> Tue, 16 Nov 2021 16:11:17 GMT https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575084#M200389 miberecz 2021-11-16T16:11:17Z https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575089#M200390 <P>| makeresults<BR />| eval _raw = "2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful."<BR />| rex field=_raw ":\sUSER\s(?&lt;user_id&gt;[^:]*)"<BR />| table user_id</P> Tue, 16 Nov 2021 16:41:54 GMT https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575089#M200390 johnhuang 2021-11-16T16:41:54Z https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575100#M200395 <P>Extracting everything between "USER" and a colon (":") is relatively easy:</P><PRE>USER\s(?&lt;username&gt;[^:]*):</PRE><P>There is one caveat though. If your username contains a colon (":"), it will only capture the username up to (and without) that colon.</P><P>BTW, you could try TA for proftpd - <A href="https://github.com/jewnix/TA-proftpd" target="_blank">https://github.com/jewnix/TA-proftpd</A></P> Tue, 16 Nov 2021 17:53:10 GMT https://community.splunk.com/t5/Splunk-Search/Extract-username-with-dash-Field-from-event/m-p/575100#M200395 PickleRick 2021-11-16T17:53:10Z