All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How could I extract a user ID using regex?

digital_alchemy
Path Finder
‎02-05-2014 01:42 PM

I have log data that contains userID and have not been able to extract the first few characters of the string.

Sample strings:

 (G477EFK@XYZ.LOCAL)
 (H587ABF@XYZ.LOCAL)
 (7P4LCDK@XYZ.LOCAL)

I only want the first four alphanumeric characters.
When I tried the interactive field extracter I can only get it to extract the full string usin it's suggested regex of:

 (?i)^(?:[^/]*/){4}\d+\)\s+(?P<FIELDNAME>[^ ]+)

I've tested this one with a regex tester online and it works for what I need but cant get it to work with Splunk.

[^(XYZ.local)](?:[a-z0-9]){4}

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-07-2014 12:55 PM

I wrote the interactive field extractor. It wasn't optimized to get the case where you want some alphanumeric characters that are touching other alphanumeric characters.

But the solution is simple.

Just go back into interactive field extractor, have it generate the regex:

(?i)^(?:[^/]*/){4}\d+\)\s+(?P<FIELDNAME>[^ ]+)

Then click "edit" and change the last "+" to a "{4}"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-07-2014 12:55 PM

I wrote the interactive field extractor. It wasn't optimized to get the case where you want some alphanumeric characters that are touching other alphanumeric characters.

But the solution is simple.

Just go back into interactive field extractor, have it generate the regex:

(?i)^(?:[^/]*/){4}\d+\)\s+(?P<FIELDNAME>[^ ]+)

Then click "edit" and change the last "+" to a "{4}"

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎02-06-2014 01:38 AM

This might be oversimplifying things a bit, but if you only want the first 4 alpha-numeric characters after the opening parentheses, would this do the job for you?

|rex field=_raw "\((?<first_4_char>\w{4})"

If you want to put the extraction in to your props.conf file (similar to how the interactive field extractor saves this) its simply:

[StanzaName]
EXTRACT-myExtract=\((?<first_4_char>\w{4})

After adding this line to your props.conf file, you an issue the following search command to reload the extractions:

| extract reload=T
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-05-2014 01:55 PM

through rex;

... | rex "\((?<your_field>\w{4})[^@]+@\w+\.\w+\)" | the rest of your search

/k

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...