topic Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction? in Splunk Search

How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 00:12:16 GMT

How do I use regex within search to remove the domain from the field "User name" and use the username only as named extraction.

domain\username

something like this i think but don't know who to write regex to extract username or extract everything after "\" from field "User name"

| rex field="User name" "" | eval UserName=lower(UserName) | where UserName=lower(UserName) | search UserName="*"

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 00:22:42 GMT

What separates domain from username? Please share a sample of your data.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 00:29:43 GMT

just "\"

"User name"=domain\username

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 00:32:36 GMT

Just what? If there's a character between the quotation marks, it's not showing up. Escape the character or use backtics.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 00:34:53 GMT

editor is removing backward slash

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 00:36:28 GMT

 domain\username

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 00:43:31 GMT

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 00:56:46 GMT

getting an error as below. domain includes domain-22\username

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain-22>\S+)\(?<userName>\S+)': Regex: unmatched parentheses

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 00:59:13 GMT

The parts between < and > define a Splunk field into which rex will extract matches. They're not placeholders. Change "domain-22" back to "domain" and it should work.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 01:06:56 GMT

still getting same error. tried both options above

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain>\S+)\(?<userName>\S+)': Regex: unmatched parentheses

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 01:09:28 GMT

The backslash needs to be escaped.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 01:33:02 GMT

only using this.. no luck

rex field=domainUsername "(?<domain>\S+)\\(?<userName>\S+)"

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 02:24:30 GMT

What do you get?

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 02:26:08 GMT

same error above

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 02:36:19 GMT

The escape character needs to be escaped. I've updated the answer.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Tue, 07 Oct 2014 03:03:39 GMT

works like a charm.. thank you !

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Tue, 07 Oct 2014 10:54:38 GMT

Please accept the answer.

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99 — Wed, 08 Oct 2014 02:29:41 GMT

yes i did.

just so i learn how to write regex, if it was seperated by : what would i replace it with ?

Re: How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

richgalloway — Wed, 08 Oct 2014 02:48:34 GMT

In the regex in the answer, the four backslashes are the separator between the domain and username. If the separator becomes ':' then the regex becomes "(?\S+):(?\S+)".

A good way to learn is through experimentation. Try regexr.