topic How to write regex to extract one capture group for user ID? in Splunk Search

How to write regex to extract one capture group for user ID?

kmcconnell — Tue, 16 Sep 2014 12:17:04 GMT

I have a regex question that I hope will be easy for someone. I’m not big on regexes so I’m coming to you all for help. I have events where the user account is coming in by itself (xyz123) and sometimes with the domain (domain\xyz123), see below. I was able to just pull out the user IDs with a regex, but it had two capture groups instead of just one [U|u]ser\s(?:[\w\.]+\\(\w+)|([\w]+))\s. I’d like to have one capture group that only has the user ID.

[MsgID: 2]The user domain\xyz123 with source IP address

[MsgID: 2]The user xyz123 with source IP address

Re: How to write regex to extract one capture group for user ID?

martin_mueller — Tue, 16 Sep 2014 12:28:43 GMT

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

Re: How to write regex to extract one capture group for user ID?

MuS — Tue, 16 Sep 2014 12:30:48 GMT

Hi kmcconnel,

assuming your ID's are always 6 alphanumeric values and are always before with in the events, try this regex:

(?<myUserID>\w{6})(?=\swith)

hope this helps ...

cheers, MuS

Re: How to write regex to extract one capture group for user ID?

MuS — Tue, 16 Sep 2014 12:31:17 GMT

HeHe, too slow again....

Re: How to write regex to extract one capture group for user ID?

somesoni2 — Tue, 16 Sep 2014 22:17:53 GMT

This works fine after added additional backslash after [\w.]+

Re: How to write regex to extract one capture group for user ID?

kmcconnell — Wed, 17 Sep 2014 17:41:38 GMT

I tried both approaches and they both work, but the answer from martin_mueller was what I had been working toward. Thank you both for the help.