We're making progress.  All that remains is to do as the message says and put a name to the capture group.

source="test.csv" 
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)" 
| eval extracted_string=substr(extracted_string, 9)

Thanks I ran this query and it worked, but the output was basically everything, all text from the query lines. The usernames after sblogin/ were not specifically outputted on their own?

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

I was hope to just see all the usernames and nothing else?

We continue to make progress.

The rex command merely extracts fields.  The extracted fields are added to the existing set of fields.  To control which fields are shown in the results, use the fields or table command.

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)
| table extracted_string

BTW, the substr function is looking for the 9th character in extracted_string.  In the example data, extracted_string is "username", which doesn't have 9 characters so substr returns nothing.

In this case - one backslash is enough 🙂 The quote is within a character class so it's treated literarily.

But in other cases it could indeed need more escaping. (and yes, escaping regexes can be a pain).

Even with one backslash I get the same error

source="test.csv"
| rex field=raw_line "sblogin/([^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)