https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249249#M74422 <P>whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error</P> Sun, 16 Oct 2016 02:12:31 GMT dbcase 2016-10-16T02:12:31Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249248#M74421 <P>Hi,</P> <P>I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews</P> <P>I have a regex of </P> <PRE><CODE>rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P&lt;loginid&gt;[^\"]+)" </CODE></PRE> <P>but it isn't working 100% (more like 50%)</P> <PRE><CODE> "something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mspeer2" "something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-" "ddaniel" "something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mirella" </CODE></PRE> <P>8:43:57.000 PM<BR /><BR /> "something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"</P> Sun, 16 Oct 2016 02:07:21 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249248#M74421 dbcase 2016-10-16T02:07:21Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249249#M74422 <P>whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error</P> Sun, 16 Oct 2016 02:12:31 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249249#M74422 dbcase 2016-10-16T02:12:31Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249250#M74423 <P>If the login name is always the last one to occur in the log line then u can try below:</P> <PRE><CODE>.*\"(?&lt;loginid&gt;[^\"]+)\"$ </CODE></PRE> Sun, 16 Oct 2016 02:33:08 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249250#M74423 gokadroid 2016-10-16T02:33:08Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249251#M74424 <P>Hi Gokadroid!</P> <P>Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!! </P> Sun, 16 Oct 2016 02:36:01 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249251#M74424 dbcase 2016-10-16T02:36:01Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249252#M74425 <P>Awesome!! If you can upvote the answer as well that will be great !!</P> Sun, 16 Oct 2016 02:37:16 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249252#M74425 gokadroid 2016-10-16T02:37:16Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249253#M74426 <P>Cool..thanks a lot @dbcase ...Happy Splunking!!</P> Sun, 16 Oct 2016 02:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249253#M74426 gokadroid 2016-10-16T02:40:23Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249254#M74427 <P>Thank you! You don't know how much this helped!</P> Sun, 16 Oct 2016 02:42:14 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249254#M74427 dbcase 2016-10-16T02:42:14Z https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249255#M74428 <P>No need to include all the text in front and <CODE>"</CODE> does not need to be escaped in the <CODE>[]</CODE>, so this should do <CODE>\"(?&lt;loginid&gt;[^"]+)\"$</CODE> </P> Sun, 16 Oct 2016 19:54:27 GMT https://community.splunk.com/t5/Splunk-Search/Stumped-on-this-regex/m-p/249255#M74428 lakromani 2016-10-16T19:54:27Z