topic Re: REGEX Help to extract USERID in Splunk Search

REGEX Help to extract USERID

kmccowen — Tue, 29 Sep 2020 09:37:48 GMT

I'm trying to extract the userid field but am not able to get a clean extraction. I've tried several combinations all have different issues and are not exact.

FAILED REGEX Attempts:
^(?:[^[\n][){8}(?P[^]]+)
^(?:[^:\n]:){7}\s+(?P\w+)
^[^)\n]*)']\s+[\w+:\s+(?P\w+)

data sub set:
[2016-05-03T23:59:57.225-05:00] [gw_server1] [NOTIFICATION] [] [com.charter.care.customer.view.device.backing.deviceStatusFlow.DeviceStatusManager] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: nhorsley] [ecid: a44b71a4-e0b3-420d-9d59-fd890c508729-0024359c,0] [APP: chtrgwy] DM-provisioning-operation = REPROVISION_PHONE_INTERNET Account = 8357190022950*** Mac = 001dd6725*** AuditUser = CHTRGWY:nhorsley Status = INFO: QTS retry number 2 for order ID 50487161 - Location-JobCode-JobTitle - CC-Louisville Call Center-D713-Cust Rel Coord-Internet/Phone
VALID
[2016-05-03T23:59:56.390-05:00] [gw_server1] [NOTIFICATION] [] [com.charter.care.customer.memo.model.dao.MemoServiceHelper] [tid: [ACTIVE].ExecuteThread: '28' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: sshimin] [ecid: a44b71a4-e0b3-420d-9d59-fd890c508729-00243595,0] [APP: chtrgwy] 2016-05-03 23:59:56.39 - ADD MEMO PROCESSED - 8345780100010*** - UI0 - Caller verified - CC-Louisville Call Center-D719-Cust Rel Coord-Comm Repair
VALID
[2016-05-03T23:59:56.357-05:00] [gw_server3] [NOTIFICATION] [] [com.charter.customer.care.view.backing.banner.BannerFlowManager] [tid: [ACTIVE].ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: bxburns] [ecid: 1ca25884-aa12-4021-a3c7-b7865adbba6f-002474e8,0] [APP: chtrgwy] 2016-05-03 23:59:56.357 - TROUBLESHOOTING2 TAB CLICK - 8351200211445*** - HIR - CC-Louisville Call Center-D713-Cust Rel Coord-Internet/Phone
VALID
[2016-05-03T23:59:56.193-05:00] [gw_server1] [NOTIFICATION] [] [com.charter.care.customer.memo.model.dao.MemoServiceHelper] [tid: [ACTIVE].ExecuteThread: '28' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: sshimin] [ecid: a44b71a4-e0b3-420d-9d59-fd890c508729-00243595,0] [APP: chtrgwy] 2016-05-03 23:59:56.193 - ADD MEMO INITIATED - 8345780100010*** - UI0 - Caller verified - CC-Louisville Call Center-D719-Cust Rel Coord-Comm Repair
VALID
[2016-05-03T23:59:56.193-05:00] [gw_server1] [NOTIFICATION] [] [com.charter.customer.care.view.backing.banner.BannerFlowManager] [tid: [ACTIVE].ExecuteThread: '28' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: sshimin] [ecid: a44b71a4-e0b3-420d-9d59-fd890c508729-00243595,0] [APP: chtrgwy] 2016-05-03 23:59:56.193 - ACCOUNT VERIFIED - 8345780100010*** - UI0 - CC-Louisville Call Center-D719-Cust Rel Coord-Comm Repair

Re: REGEX Help to extract USERID

jkat54 — Mon, 09 May 2016 14:47:31 GMT

Hi & good morning,

Let us know if this works:

userId:\s(?<userId>\w+)

Re: REGEX Help to extract USERID

ctaf — Mon, 09 May 2016 14:48:31 GMT

Hello,

How about:

"\[userId:\s(?<userID>[^\]]+)"

I tried with this, and it worked:

|stats count | eval test="[com.charter.care.customer.view.device.backing.deviceStatusFlow.DeviceStatusManager] [tid: [ACTIVE].ExecuteThread: '26' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: nhorsley] [ecid: a44b71a4-e0b3-420d-9d59-fd890c508729-0024359c,0] [APP: chtrgwy] DM-provisioning-operation = REPROVISION_PHONE_INTERNET Account = 8357190022950* Mac = 001dd6725 AuditUser = CHTRGWY:nhorsley Status = INFO: QTS retry number 2 for order ID 50487161 - Location-JobCode-JobTitle - CC-Louisville Call Center-D713-Cust Rel Coord-Internet/Phone" | rex field=test "\[userId:\s(?<userID>[^\]]+)"

Re: REGEX Help to extract USERID

horsefez — Mon, 09 May 2016 15:05:48 GMT

This is a good way of testing regular expressions. Thanks!

Re: REGEX Help to extract USERID

ra01 — Mon, 09 May 2016 15:13:32 GMT

a site like http://regexr.com/ is great to test out the extraction

userId:\s(?P<userid>\w+)\]

Re: REGEX Help to extract USERID

kmccowen — Mon, 09 May 2016 16:36:35 GMT

Thanks everybody!

Re: REGEX Help to extract USERID

jkat54 — Mon, 09 May 2016 18:05:15 GMT

i show ra01 regexr today and then he uses it to one up me on an answer 😜

I argue my regex is more efficient though !!!

Re: REGEX Help to extract USERID

ra01 — Mon, 09 May 2016 18:17:25 GMT

I have a section about using regexr in my work wiki I wrote on Splunk. 😉

I'm sure there's more efficient ways to write the expression.

Re: REGEX Help to extract USERID

jkat54 — Mon, 09 May 2016 18:35:47 GMT

Yep, i confused you with someone else I worked with today. My apologies. Great site though!