topic Re: What is the most efficient way to extract user name from my sample Message fields? in Splunk Search

What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 14:19:51 GMT

What's the most efficient way to extract the user name from these messages:

Message=Self-service Plug-in started (user=DOMAINX\a123456)
Message=Self-service Plug-in started (user=DOMAINY\c123456)

Thanks

Re: What is the most efficient way to extract user name from my sample Message fields?

jmallorquin — Mon, 20 Jun 2016 14:27:03 GMT

Hi,

props.conf

[<<sourcetype>>>]
.
.
.

    EXTRACT-user = \\(?<user_wo_domain>[^\)]+)\)$

Hope i help you

Re: What is the most efficient way to extract user name from my sample Message fields?

richgalloway — Mon, 20 Jun 2016 14:28:20 GMT

I'm not sure if it's the most efficient, but it's one of the simplest.

... | rex field=Message "\\(?<userName>[^\)]*)" | ...

Re: What is the most efficient way to extract user name from my sample Message fields?

woodcock — Mon, 20 Jun 2016 14:30:46 GMT

Like this:

... | rex field=Message "\(user=(?<user>[^\)]+)"

Re: What is the most efficient way to extract user name from my sample Message fields?

ddrillic — Mon, 20 Jun 2016 14:34:20 GMT

\\(?<user>(\w|\d+)*) should do it...

Re: What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 14:49:49 GMT

Error in 'rex' command: Encountered the following error while compiling the regex '(?(\w|\d+)*)': Regex: unmatched parentheses

Re: What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 14:51:26 GMT

Nice,

user="DOMAINY\L123456"
Can we drop the domain or separate it?

Re: What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 14:52:00 GMT

Error in 'rex' command: Encountered the following error while compiling the regex '\(?[^\)]*)': Regex: unmatched parentheses

Re: What is the most efficient way to extract user name from my sample Message fields?

ddrillic — Mon, 20 Jun 2016 14:55:56 GMT

right ; -)

| rex  field=data "\\\(?<user>(\w|\d)*)"

three slashes - the editors mistreat them ....

Re: What is the most efficient way to extract user name from my sample Message fields?

richgalloway — Mon, 20 Jun 2016 14:56:02 GMT

The leading backslash needs to be escaped. Otherwise, it escapes the left paren.

Re: What is the most efficient way to extract user name from my sample Message fields?

woodcock — Mon, 20 Jun 2016 16:05:14 GMT

Like this:

 ... | rex field=Message "\(user=(?<domain>[^\\\]+)\\\(?<user>[^\)]+)"

Re: What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 16:10:39 GMT

Nice thanks!

Re: What is the most efficient way to extract user name from my sample Message fields?

ppablo — Mon, 20 Jun 2016 20:52:17 GMT

Hi @smudge797

Glad you found a solution through @woodcock and gave him an upvote, but please don't forget to click "Accept" directly below his answer to resolve the question. Thanks!

Re: What is the most efficient way to extract user name from my sample Message fields?

smudge797 — Mon, 20 Jun 2016 21:21:40 GMT

Done!

Thanks.