can you please advise a rex for domain\username
example windows\mathews
Below is sample of event I am trying to extract
http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00
Give this a try
Updated
your base search | rex field=yourfieldname "windows\\\\(?<UserName>\w+)"
Runanywhere sample search
| gentimes start=-1 | eval temp="http://windows/corp/it/us\x00\x00admin/forms/allitems.aspx\x00windows\mathews\x00" | table temp | rex field=temp "windows\\\\(?<UserName>\w+)"
Didn't work out, the domain name here "windows`mathews`" where "windows" is like a static domain name i have in all the logs meaning I dont have anyother domains except "windows", I just want to grab the username out of it
try the updated query
That will work if your usernames only ever contain a-z 0-9 or _
This one will match any character up to a \
your base search | rex field=yourfieldname "windows\\(?.+?)\"
I was hoping something like this would work, this was generated through the erex , but needs some adjustments i guess
rex "(?i)windows\(?P[^\]+)"